CVE-2025-68925
JWT Algorithm Validation Bypass in Jervis Library Before
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samrocketman | jervis | to 2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68925 is a JWT algorithm confusion vulnerability in the Jervis library versions prior to 2.2. The vulnerability occurs because the code does not validate that the JWT header specifies the algorithm as "alg":"RS256". This allows an attacker to potentially forge JWTs by exploiting the lack of enforcement of the expected RS256 algorithm. The issue is fixed in version 2.2 by explicitly verifying the JWT header's algorithm and adding additional JWT structure validation. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is considered moderate for external users since JWTs are primarily used to interface with GitHub, allowing potential token forgery. Internally, the severity is low. Exploiting this vulnerability could allow attackers to forge JWTs and potentially gain unauthorized access or perform actions as if they were authenticated users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting JWT tokens used by the Jervis library to verify if the JWT header explicitly specifies the algorithm as "alg":"RS256". Since the vulnerable versions prior to 2.2 do not validate this, you can look for JWT tokens that do not specify or specify a different algorithm. Additionally, reviewing the version of Jervis in use can help detect vulnerability presence. There are no specific commands provided, but you can check the Jervis version and analyze JWT tokens for the 'alg' header field. Upgrading to version 2.2 or later is recommended to mitigate this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Jervis library to version 2.2 or later, where the vulnerability is fixed by explicitly verifying that the JWT header's algorithm is "RS256" and adding additional JWT structure validation. Alternatively, users can switch to a different JWT library that properly enforces algorithm validation. [1]