CVE-2025-68704
Predictable Randomness Vulnerability in Jervis Library Prior to
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samrocketman | jervis | to 2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68704 is a vulnerability in the Jervis library prior to version 2.2 where the method intended to mitigate timing attacks uses java.util.Random() to generate random delays. Since java.util.Random() is not cryptographically secure, the random delays are predictable, allowing an attacker to potentially perform successful timing attacks. The vulnerability is fixed in version 2.2 by replacing java.util.Random() with SecureRandom, which provides cryptographically secure randomness. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to exploit predictable random delays to carry out timing attacks against systems using the vulnerable Jervis versions. Successful timing attacks can lead to information leakage or bypassing security controls that rely on timing-based mitigations. Therefore, systems using Jervis versions prior to 2.2 are at risk until they upgrade to the fixed version. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the Jervis library in use. Versions prior to 2.2 use the insecure java.util.Random() in the avoidTimingAttack method, which is vulnerable. To detect this, you can verify the Jervis version installed on your system or in your Jenkins pipeline libraries. For example, you can run commands to check the version of the Jervis package in your environment, such as 'mvn dependency:list | grep jervis' if using Maven, or inspect the version in your build configuration files. Additionally, reviewing the source code or binaries for the presence of the vulnerable method implementation (avoidTimingAttack using java.util.Random) can confirm vulnerability. There are no specific network detection commands provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Jervis library to version 2.2 or later, where the vulnerability is fixed by replacing java.util.Random() with a cryptographically secure SecureRandom in the avoidTimingAttack method. There are no known workarounds other than upgrading. Upgrading ensures the use of cryptographically secure random delays, mitigating timing attacks effectively. [1]