CVE-2025-68704
Unknown Unknown - Not Provided
Predictable Randomness Vulnerability in Jervis Library Prior to

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samrocketman jervis to 2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68704 is a vulnerability in the Jervis library prior to version 2.2 where the method intended to mitigate timing attacks uses java.util.Random() to generate random delays. Since java.util.Random() is not cryptographically secure, the random delays are predictable, allowing an attacker to potentially perform successful timing attacks. The vulnerability is fixed in version 2.2 by replacing java.util.Random() with SecureRandom, which provides cryptographically secure randomness. [1]

Impact Analysis

This vulnerability can allow an attacker to exploit predictable random delays to carry out timing attacks against systems using the vulnerable Jervis versions. Successful timing attacks can lead to information leakage or bypassing security controls that rely on timing-based mitigations. Therefore, systems using Jervis versions prior to 2.2 are at risk until they upgrade to the fixed version. [1]

Detection Guidance

This vulnerability can be detected by checking the version of the Jervis library in use. Versions prior to 2.2 use the insecure java.util.Random() in the avoidTimingAttack method, which is vulnerable. To detect this, you can verify the Jervis version installed on your system or in your Jenkins pipeline libraries. For example, you can run commands to check the version of the Jervis package in your environment, such as 'mvn dependency:list | grep jervis' if using Maven, or inspect the version in your build configuration files. Additionally, reviewing the source code or binaries for the presence of the vulnerable method implementation (avoidTimingAttack using java.util.Random) can confirm vulnerability. There are no specific network detection commands provided. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Jervis library to version 2.2 or later, where the vulnerability is fixed by replacing java.util.Random() with a cryptographically secure SecureRandom in the avoidTimingAttack method. There are no known workarounds other than upgrading. Upgrading ensures the use of cryptographically secure random delays, mitigating timing attacks effectively. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart