CVE-2025-68703
Published: 13 January 2026
Summary
CVE-2025-68703 is a high-severity Inadequate Encryption Strength (CWE-326) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2025-68703, published on 2026-01-13, is a vulnerability in the Jervis library, which supports Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, the salt used in key derivation is computed as sha256Sum(passphrase), resulting in identical derived keys for multiple encryption operations performed with the same passphrase. This issue, classified under CWE-326 (Inadequate Encryption Strength), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability enables exploitation by any network-accessible attacker without requiring privileges, user interaction, or special conditions. Attackers can achieve high confidentiality impact, such as recovering plaintext from encrypted data when multiple ciphertexts share the same passphrase-derived key.
Mitigation is provided in Jervis version 2.2, which addresses the flawed salt derivation. Security advisories recommend upgrading to 2.2 or later; details are available in the GitHub security advisory at https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 and the fixing commit at https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2025
Vulnerability details
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed…
more
in 2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Predictable salt from passphrase directly reduces key derivation strength, enabling plaintext recovery from ciphertexts (matches Reduce Key Space).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper cryptographic key establishment and management, which this CVE violates by deriving a deterministic salt (and thus identical keys) from the passphrase.
Mandates approved cryptographic protection mechanisms with adequate strength, directly countering the CWE-326 inadequate encryption strength flaw.
Requires cryptographic protection of information at rest, which fails when the library's passphrase-based encryption produces reusable keys.