CVE-2025-68704
Published: 13 January 2026
Summary
CVE-2025-68704 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68704 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis relies on java.util.Random(), which is not cryptographically secure, for timing attack mitigation. This flaw, classified under CWE-330 (Use of Insufficiently Random Values), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Remote attackers can exploit this vulnerability over the network with low complexity. By leveraging the predictable randomness from java.util.Random(), adversaries may conduct timing attacks to infer sensitive information processed or protected by Jervis in Jenkins environments, potentially disclosing confidential data without impacting integrity or availability.
The vulnerability is addressed in Jervis version 2.2, where the insecure random number generator is replaced. Security practitioners should upgrade to 2.2 or later, as detailed in the GitHub security advisory (GHSA-c9q6-g3hr-8gww) and the fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2024
Vulnerability details
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of a public-facing Jenkins library component for sensitive data disclosure via flawed timing attack mitigation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws like the insecure java.util.Random() usage in Jervis prior to version 2.2, directly preventing timing attacks via patching.
RA-5 mandates periodic vulnerability scanning to identify deployed vulnerable Jervis versions susceptible to predictable randomness exploitation.
SI-5 ensures monitoring of external security advisories such as the GHSA for CVE-2025-68704, facilitating awareness and remediation of the timing attack vulnerability.