Cyber Resilience

CVE-2025-68704

High

Published: 13 January 2026

Published
13 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-68704 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68704 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis relies on java.util.Random(), which is not cryptographically secure, for timing attack mitigation. This flaw, classified under CWE-330 (Use of Insufficiently Random Values), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability over the network with low complexity. By leveraging the predictable randomness from java.util.Random(), adversaries may conduct timing attacks to infer sensitive information processed or protected by Jervis in Jenkins environments, potentially disclosing confidential data without impacting integrity or availability.

The vulnerability is addressed in Jervis version 2.2, where the insecure random number generator is replaced. Security practitioners should upgrade to 2.2 or later, as detailed in the GitHub security advisory (GHSA-c9q6-g3hr-8gww) and the fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables remote exploitation of a public-facing Jenkins library component for sensitive data disclosure via flawed timing attack mitigation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68702Same product: Samrocketman Jervis
CVE-2025-68931Same product: Samrocketman Jervis
CVE-2025-68703Same product: Samrocketman Jervis
CVE-2025-68698Same product: Samrocketman Jervis
CVE-2025-68701Same product: Samrocketman Jervis
CVE-2026-33710Shared CWE-330
CVE-2026-27637Shared CWE-330
CVE-2026-25072Shared CWE-330
CVE-2026-27515Shared CWE-330
CVE-2026-27755Shared CWE-330

Affected Assets

samrocketman
jervis
≤ 2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the insecure java.util.Random() usage in Jervis prior to version 2.2, directly preventing timing attacks via patching.

detect

RA-5 mandates periodic vulnerability scanning to identify deployed vulnerable Jervis versions susceptible to predictable randomness exploitation.

detect

SI-5 ensures monitoring of external security advisories such as the GHSA for CVE-2025-68704, facilitating awareness and remediation of the timing attack vulnerability.

References