CVE-2025-68701
Unknown Unknown - Not Provided
Insecure AES IV Derivation in Jervis Library Allows Cryptographic Weakness

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68701
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samrocketman jervis to 2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68701 is a vulnerability in the Jervis library versions prior to 2.2 where the AES-256 encryption implementation deterministically derives the initialization vector (IV) from the passphrase. This means the same IV is reused for encrypting identical plaintexts with the same passphrase, resulting in identical ciphertexts. This deterministic IV reuse weakens encryption security by allowing attackers to perform pattern analysis on the ciphertext. The vulnerability is fixed in version 2.2 by generating a random IV for each encryption operation and prepending it to the ciphertext, eliminating IV reuse. [1]

Impact Analysis

This vulnerability can significantly weaken the security of encrypted data by allowing attackers to detect patterns in ciphertexts when the same passphrase and plaintext are used. This can lead to potential exposure of sensitive information or facilitate cryptanalysis attacks. While the risk is lower if the vulnerable methods are used only internally within the library, it is rated high if consumers use these encryption methods directly. Upgrading to Jervis version 2.2 mitigates this risk by using random IVs. [1]

Detection Guidance

This vulnerability can be detected by identifying usage of Jervis versions prior to 2.2 that employ deterministic AES IV derivation from a passphrase in their encryption routines. Specifically, inspecting the `SecurityIO.groovy` file for the `encryptWithAES256` method that derives the IV as the first 16 bytes of the lowercase SHA-256 hash of the passphrase indicates the vulnerable implementation. There are no specific network detection commands provided, but you can check the version of Jervis installed and review the encryption code or logs for repeated identical ciphertext outputs for identical plaintext and passphrase inputs, which suggests IV reuse. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Jervis to version 2.2 or later, where the vulnerability is fixed by generating a random IV (nonce) for each encryption operation and prepending it to the ciphertext, eliminating IV reuse. No other workarounds are provided. Additionally, ensure that RSA keys used are at least 2048 bits, preferably 4096 bits, and migrate to the updated AES-256-GCM encryption scheme introduced in version 2.2 for improved security. [1, 2]

Compliance Impact

The vulnerability weakens the encryption scheme by reusing deterministic IVs, which can lead to pattern analysis and compromise of encrypted data confidentiality. This reduction in encryption strength could negatively impact compliance with standards and regulations such as GDPR and HIPAA that require strong data protection measures. Upgrading to Jervis version 2.2, which uses random IVs and stronger encryption methods, mitigates this risk and helps maintain compliance. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68701. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart