CVE-2025-68925
Unknown Unknown - Not Provided

JWT Algorithm Validation Bypass in Jervis Library Before

Vulnerability report for CVE-2025-68925, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
samrocketman jervis to 2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-68925 is a JWT algorithm confusion vulnerability in the Jervis library versions prior to 2.2. The vulnerability occurs because the code does not validate that the JWT header specifies the algorithm as "alg":"RS256". This allows an attacker to potentially forge JWTs by exploiting the lack of enforcement of the expected RS256 algorithm. The issue is fixed in version 2.2 by explicitly verifying the JWT header's algorithm and adding additional JWT structure validation. [1]

Impact Analysis

The impact of this vulnerability is considered moderate for external users since JWTs are primarily used to interface with GitHub, allowing potential token forgery. Internally, the severity is low. Exploiting this vulnerability could allow attackers to forge JWTs and potentially gain unauthorized access or perform actions as if they were authenticated users. [1]

Detection Guidance

This vulnerability can be detected by inspecting JWT tokens used by the Jervis library to verify if the JWT header explicitly specifies the algorithm as "alg":"RS256". Since the vulnerable versions prior to 2.2 do not validate this, you can look for JWT tokens that do not specify or specify a different algorithm. Additionally, reviewing the version of Jervis in use can help detect vulnerability presence. There are no specific commands provided, but you can check the Jervis version and analyze JWT tokens for the 'alg' header field. Upgrading to version 2.2 or later is recommended to mitigate this issue. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Jervis library to version 2.2 or later, where the vulnerability is fixed by explicitly verifying that the JWT header's algorithm is "RS256" and adding additional JWT structure validation. Alternatively, users can switch to a different JWT library that properly enforces algorithm validation. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart