Cyber Resilience

CVE-2025-68701

High

Published: 13 January 2026

Published
13 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 10.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-68701 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68701 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis employs deterministic AES initialization vector (IV) derivation from a passphrase, violating cryptographic best practices. This flaw is classified under CWE-327 (Broken or Risky Cryptographic Algorithm) and CWE-340 (Generation of Predictable IV with CBC Mode), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables high-impact confidentiality violations, such as decrypting sensitive data protected by the affected encryption scheme due to the predictable IVs.

The GitHub security advisory (GHSA-crxp-chh4-9ghp) and fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a) confirm mitigation by upgrading to Jervis version 2.2, which addresses the deterministic IV issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Weak deterministic AES IV allows remote decryption of protected sensitive data (e.g., credentials or secrets in Jenkins libraries/files), directly enabling local data access and unsecured credential retrieval.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68698Same product: Samrocketman Jervis
CVE-2025-68702Same product: Samrocketman Jervis
CVE-2025-68931Same product: Samrocketman Jervis
CVE-2025-68703Same product: Samrocketman Jervis
CVE-2025-68704Same product: Samrocketman Jervis
CVE-2024-52884Shared CWE-327
CVE-2024-31896Shared CWE-327
CVE-2026-30791Shared CWE-327
CVE-2026-28479Shared CWE-327
CVE-2025-2539Shared CWE-327

Affected Assets

samrocketman
jervis
≤ 2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like the deterministic AES IV derivation in Jervis versions prior to 2.2 via upgrade to version 2.2.

prevent

Mandates FIPS-validated cryptographic mechanisms with proper initialization vector generation, directly preventing predictable IVs derived from passphrases that enable decryption of sensitive data.

detect

Provides vulnerability scanning and monitoring from sources like GitHub advisories to identify and assess the cryptographic weakness in Jervis for subsequent remediation.

References