The Jenkins project has issued a new security advisory detailing multiple vulnerabilities affecting recent versions of Jenkins core. The issues include a high-severity denial-of-service (DoS) vulnerability affecting instances configured to use HTTP/2, as well as several medium-severity flaws related to permission checks and log handling.
The most critical issue, tracked as CVE-2025-5115, involves a vulnerability in the Jetty server bundled with Jenkins. This vulnerability, dubbed “MadeYouReset,” allows unauthenticated attackers to cause a denial of service on Jenkins instances with HTTP/2 enabled. According to the advisory, the flaw affects Jenkins 2.523 and earlier, as well as LTS 2.516.2 and earlier, due to the inclusion of vulnerable Jetty versions via the Winstone-Jetty wrapper.
The affected configuration is not common in default setups. HTTP/2 support must be explicitly enabled, either by passing the –http2Port argument when starting Jenkins or through service configuration files. Jenkins installations using default packages or Docker images are not exposed unless HTTP/2 was manually enabled. The issue is resolved in Jenkins 2.524 and LTS 2.516.3, which bundle Jetty version 12.0.25, unaffected by this flaw. Administrators unable to upgrade immediately are advised to disable HTTP/2 as a temporary mitigation.
In addition to the Jetty vulnerability, three other issues are addressed in the advisory:
- CVE-2025-59474 describes a missing permission check that allowed users without Overall/Read permissions to view agent names via a sidepanel widget. Jenkins 2.528 and LTS 2.516.3 remove this panel entirely from the affected view.
- CVE-2025-59475 relates to a similar permission oversight in the profile dropdown menu for authenticated users. The flaw enabled unauthorized users to infer details about Jenkins configuration, such as installed plugins. The updated versions now enforce proper permission checks in these UI components.
- CVE-2025-59476 details a vulnerability in Jenkins’ log message formatter. Improper handling of special characters allowed for log injection, which could mislead administrators by forging log entries or hiding actual log content. The fix introduces visual indicators for inserted line breaks, but the advisory notes that other character-based obfuscation methods, including Unicode “Trojan Source” techniques, remain a concern. Use of advanced log viewers capable of detecting such anomalies is recommended.
All vulnerabilities are resolved in Jenkins 2.528 (weekly) and LTS 2.516.3. The Jenkins project strongly encourages all users to upgrade to the patched versions. All earlier releases are considered vulnerable unless otherwise noted.
The advisory continues Jenkins’ ongoing efforts to address security concerns proactively, with particular attention to access control, logging integrity, and third-party dependencies.
For further technical details and remediation instructions, visit the official Jenkins advisory notice here.
.
Leave a Reply