CVE-2025-68931
Published: 13 January 2026
Summary
CVE-2025-68931 is a high-severity Improper Authentication (CWE-287) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68931 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries in versions prior to 2.2. The vulnerability arises from the implementation of AES/CBC/PKCS5Padding without authentication, which exposes it to padding oracle attacks and ciphertext manipulation. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWEs 287 (Improper Authentication) and 327 (Broken Cryptographic Algorithm).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation enables high-impact integrity violations, such as modifying encrypted data through padding oracle techniques or direct ciphertext tampering, while confidentiality and availability remain unaffected.
The issue is addressed in Jervis version 2.2. Security practitioners should review the GitHub security advisory at https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj and the fixing commit at https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a for patch details and upgrade guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2022
Vulnerability details
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Padding oracle and unauthenticated AES-CBC usage directly enables integrity tampering of encrypted data (ciphertext manipulation), mapping to stored data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-13 requires implementation of approved cryptographic mechanisms providing both confidentiality and integrity protection, directly mitigating the unauthenticated AES/CBC/PKCS5Padding vulnerable to padding oracle attacks and ciphertext manipulation.
SI-2 mandates timely identification, reporting, and remediation of flaws like CVE-2025-68931, enabling upgrade to Jervis 2.2 which fixes the lack of authentication in encryption.
SI-7 employs integrity verification mechanisms such as cryptographic hashes or digital signatures to detect unauthorized modifications to encrypted data exploited via padding oracle or tampering techniques.