Base Score

HIGH7.5

CVE-2025-67635

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateDec 10, 2025, 17:15

Affected Versions(4)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.529

Fixed2.541

LimitN/A

org.jenkins-ci.main:cli(Maven)

Introduced2.529

Fixed2.541

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed2.528.3

LimitN/A

org.jenkins-ci.main:cli(Maven)

Introduced0

Fixed2.528.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	2.529	2.541	N/A
org.jenkins-ci.main:cli(Maven)	2.529	2.541	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	2.528.3	N/A
org.jenkins-ci.main:cli(Maven)	0	2.528.3	N/A

Weakness Type (CWE):CWE-404

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630

Base Score

HIGH7.5

Weakness Type (CWE):CWE-404

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH