CVE-2025-68701
Published: 13 January 2026
Summary
CVE-2025-68701 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68701 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis employs deterministic AES initialization vector (IV) derivation from a passphrase, violating cryptographic best practices. This flaw is classified under CWE-327 (Broken or Risky Cryptographic Algorithm) and CWE-340 (Generation of Predictable IV with CBC Mode), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables high-impact confidentiality violations, such as decrypting sensitive data protected by the affected encryption scheme due to the predictable IVs.
The GitHub security advisory (GHSA-crxp-chh4-9ghp) and fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a) confirm mitigation by upgrading to Jervis version 2.2, which addresses the deterministic IV issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2027
Vulnerability details
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak deterministic AES IV allows remote decryption of protected sensitive data (e.g., credentials or secrets in Jenkins libraries/files), directly enabling local data access and unsecured credential retrieval.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of software flaws like the deterministic AES IV derivation in Jervis versions prior to 2.2 via upgrade to version 2.2.
Mandates FIPS-validated cryptographic mechanisms with proper initialization vector generation, directly preventing predictable IVs derived from passphrases that enable decryption of sensitive data.
Provides vulnerability scanning and monitoring from sources like GitHub advisories to identify and assess the cryptographic weakness in Jervis for subsequent remediation.