CVE-2025-68702
Incorrect Padding in Jervis Library Causes Hash Verification Flaw
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samrocketman | jervis | to 2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68702 is a vulnerability in the Jervis library where the SHA-256 hash output is incorrectly padded. The method computing the SHA-256 hash converts the hash bytes to a hex string and pads it to 32 characters instead of the correct 64 characters. Since SHA-256 produces a 32-byte (256-bit) hash, its hex representation should always be 64 characters long. This incorrect padding causes inconsistent hash lengths when the leading bytes of the hash are zero, leading to failures in hash comparisons and potential security issues in systems relying on consistent hash-based comparisons. [1]
How can this vulnerability impact me? :
This vulnerability can cause inconsistent hash lengths for SHA-256 hashes with leading zero bytes, resulting in failures when comparing hashes as strings. This can lead to subtle bugs in applications that depend on the Jervis library for SHA-256 hashing. If your system relies directly on these hash comparisons for security or integrity checks, it could cause incorrect behavior or security issues. The severity is considered high if consumers use these methods directly, but low for internal uses of the library. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system or project uses the Jervis library version prior to 2.2, specifically looking for the sha256Sum method in the file SecurityIO.groovy that pads SHA-256 hashes to 32 characters instead of 64. You can inspect the version of Jervis in use or search for the vulnerable code pattern. There are no specific network detection commands provided. For example, you can check the Jervis version with your package manager or inspect your dependencies. Additionally, reviewing logs or application behavior for inconsistent SHA-256 hash lengths or hash comparison failures may indicate the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Jervis library to version 2.2 or later, where the padding bug in the sha256Sum method is fixed by changing padLeft from 32 to 64 characters. Alternatively, you can replace the SHA-256 hash function implementation with a secure alternative that correctly pads the hash output. Upgrading ensures consistent hash lengths and prevents failures in hash comparisons and potential security issues. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability involves incorrect SHA-256 hash padding leading to inconsistent hash lengths and potential security issues in hash-based comparisons, which could indirectly affect data integrity or security. However, no explicit mention is made regarding compliance implications. [1]