Jenkins Security Advisory 2025-09-17 Patches High-Severity HTTP/2 DoS and Other Flaws
Jenkins released Security Advisory 2025-09-17 addressing four vulnerabilities, including a high-severity HTTP/2 denial-of-service flaw in bundled Jetty.
Jenkins released Security Advisory 2025-09-17 on September 17, 2025, addressing multiple vulnerabilities in Jenkins Core. The advisory covers four security flaws, including a high-severity HTTP/2 denial-of-service vulnerability (CVE-2025-5115) in the bundled Jetty server, as well as three medium-severity issues involving missing permission checks and log message injection.
The most critical vulnerability, CVE-2025-5115 (dubbed "MadeYouReset"), affects Jenkins 2.523 and earlier, and LTS 2.516.2 and earlier. It stems from a flaw in Jetty that allows unauthenticated attackers to cause a denial of service when HTTP/2 is enabled. HTTP/2 is disabled by default in all native installers and Docker images provided by the Jenkins project, but instances that enable it via the `--http2Port` argument are vulnerable. Jenkins 2.524 and LTS 2.516.3 update the bundled Jetty to version 12.0.25, which is unaffected. Administrators unable to update are advised to disable HTTP/2.
Three medium-severity vulnerabilities were also patched. CVE-2025-59474 involves a missing permission check in the sidepanel of a page accessible to users without Overall/Read permission, allowing attackers to list agent names. CVE-2025-59475 is a similar missing permission check in the authenticated user profile dropdown menu, which could leak limited configuration information. CVE-2025-59476 is a log message injection vulnerability that allows attackers to insert line break characters and forged log messages, potentially misleading administrators. Jenkins 2.528 and LTS 2.516.3 address these issues by adding permission checks and indicators for injected line breaks.
The affected versions include Jenkins weekly up to and including 2.527, and Jenkins LTS up to and including 2.516.2. Users are urged to update to Jenkins weekly 2.528 or LTS 2.516.3 immediately. The Jenkins project credited Daniel Beck of CloudBees, Manuel Fernandez of Stackhopper Security, and Robert Houtenbrink, Faris Mohammed, and Harsh Yadav from the IBM Cloud Red Team for reporting the vulnerabilities.
This advisory highlights the ongoing need for timely patching in CI/CD environments, where Jenkins servers are often critical infrastructure. The HTTP/2 DoS flaw, while limited to instances with HTTP/2 enabled, could be exploited to disrupt build pipelines and development workflows. The permission check issues, though medium severity, underscore the importance of least-privilege access controls even in internal tools.