CVE-2025-68701
Published: 13 January 2026
Summary
CVE-2025-68701 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Samrocketman Jervis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.
Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.
Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.
Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.
Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.
Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state.
Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak deterministic AES IV allows remote decryption of protected sensitive data (e.g., credentials or secrets in Jenkins libraries/files), directly enabling local data access and unsecured credential retrieval.
NVD Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2.
Deeper analysisAI
CVE-2025-68701 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis employs deterministic AES initialization vector (IV) derivation from a passphrase, violating cryptographic best practices. This flaw is classified under CWE-327 (Broken or Risky Cryptographic Algorithm) and CWE-340 (Generation of Predictable IV with CBC Mode), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables high-impact confidentiality violations, such as decrypting sensitive data protected by the affected encryption scheme due to the predictable IVs.
The GitHub security advisory (GHSA-crxp-chh4-9ghp) and fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a) confirm mitigation by upgrading to Jervis version 2.2, which addresses the deterministic IV issue.
Details
- CWE(s)