CVE-2025-67635 is a vulnerability identified in Jenkins, a widely used open-source automation server that facilitates continuous integration and continuous delivery (CI/CD). The flaw exists in Jenkins versions 2.540 and earlier, including the Long-Term Support (LTS) release 2.528.2 and earlier. The issue arises because Jenkins does not properly close HTTP-based Command Line Interface (CLI) connections when the connection stream becomes corrupted. This improper handling leads to resource exhaustion or hanging connections, which an unauthenticated attacker can exploit remotely to cause a denial of service (DoS) condition. The vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the system fails to release resources correctly, leading to potential service disruption. The CVSS v3.1 base score is 7.5 (high severity), reflecting the network attack vector, no required privileges, no user interaction, and a high impact on availability, while confidentiality and integrity remain unaffected. No known exploits have been reported in the wild, and no official patches have been linked at the time of publication. The vulnerability affects Jenkins instances exposed to untrusted networks, especially those that allow HTTP-based CLI access without adequate network segmentation or access controls. Attackers can repeatedly send malformed or corrupted CLI connection streams, causing Jenkins to maintain open connections and eventually exhaust system resources, leading to service unavailability. This can disrupt automated build and deployment pipelines, impacting development velocity and operational continuity.

For European organizations, the primary impact of CVE-2025-67635 is denial of service against Jenkins servers, which are critical components in modern software development and deployment workflows. Disruption of Jenkins services can halt CI/CD pipelines, delaying software releases, updates, and security patches, thereby increasing operational risk. Organizations relying on Jenkins for infrastructure automation, testing, or deployment may experience significant downtime, affecting business continuity and potentially causing financial losses. In sectors such as finance, telecommunications, manufacturing, and public services, where automation and rapid deployment are essential, this vulnerability could lead to cascading operational disruptions. Additionally, prolonged outages may increase the attack surface by forcing organizations to revert to manual processes or less secure alternatives. Since the vulnerability requires no authentication and can be exploited remotely, exposed Jenkins instances in European data centers or cloud environments are at heightened risk. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not mitigate the operational consequences of service unavailability.

1. Upgrade Jenkins to a version later than 2.540 (or LTS later than 2.528.2) as soon as official patches or releases addressing CVE-2025-67635 become available. 2. Until patches are applied, restrict network access to Jenkins HTTP-based CLI interfaces by implementing strict firewall rules, VPN access, or network segmentation to limit exposure to trusted users and systems only. 3. Disable the HTTP CLI protocol if not required, or switch to more secure communication methods such as SSH-based CLI access. 4. Monitor Jenkins server logs and network traffic for abnormal or persistent CLI connection attempts that may indicate exploitation attempts or resource exhaustion. 5. Implement resource limits and connection timeouts on Jenkins servers to mitigate the impact of hanging or corrupted connections. 6. Regularly audit Jenkins configurations and access controls to ensure minimal exposure of management interfaces. 7. Incorporate Jenkins vulnerability scanning and patch management into the organization's security operations and DevSecOps practices to ensure timely detection and remediation of such vulnerabilities.