CVE-2025-68702
Unknown Unknown - Not Provided
Incorrect Padding in Jervis Library Causes Hash Verification Flaw

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samrocketman jervis to 2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability involves incorrect SHA-256 hash padding leading to inconsistent hash lengths and potential security issues in hash-based comparisons, which could indirectly affect data integrity or security. However, no explicit mention is made regarding compliance implications. [1]

Executive Summary

CVE-2025-68702 is a vulnerability in the Jervis library where the SHA-256 hash output is incorrectly padded. The method computing the SHA-256 hash converts the hash bytes to a hex string and pads it to 32 characters instead of the correct 64 characters. Since SHA-256 produces a 32-byte (256-bit) hash, its hex representation should always be 64 characters long. This incorrect padding causes inconsistent hash lengths when the leading bytes of the hash are zero, leading to failures in hash comparisons and potential security issues in systems relying on consistent hash-based comparisons. [1]

Impact Analysis

This vulnerability can cause inconsistent hash lengths for SHA-256 hashes with leading zero bytes, resulting in failures when comparing hashes as strings. This can lead to subtle bugs in applications that depend on the Jervis library for SHA-256 hashing. If your system relies directly on these hash comparisons for security or integrity checks, it could cause incorrect behavior or security issues. The severity is considered high if consumers use these methods directly, but low for internal uses of the library. [1]

Detection Guidance

This vulnerability can be detected by checking if your system or project uses the Jervis library version prior to 2.2, specifically looking for the sha256Sum method in the file SecurityIO.groovy that pads SHA-256 hashes to 32 characters instead of 64. You can inspect the version of Jervis in use or search for the vulnerable code pattern. There are no specific network detection commands provided. For example, you can check the Jervis version with your package manager or inspect your dependencies. Additionally, reviewing logs or application behavior for inconsistent SHA-256 hash lengths or hash comparison failures may indicate the vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Jervis library to version 2.2 or later, where the padding bug in the sha256Sum method is fixed by changing padLeft from 32 to 64 characters. Alternatively, you can replace the SHA-256 hash function implementation with a secure alternative that correctly pads the hash output. Upgrading ensures consistent hash lengths and prevents failures in hash comparisons and potential security issues. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart