CVE-2025-68698 – Jervis versions before 2.2 use vulnerable PKCS1... (How to Fix)

Q: What is the severity of CVE-2025-68698?

CVE-2025-68698 has a CVSS score of 7.5 (HIGH). Jervis versions before 2.2 use vulnerable PKCS1Encoding for RSA encryption, making them susceptible to Bleichenbacher padding oracle attacks. This could allow attackers to decrypt sensitive data or forge signatures. Organizations using Jervis for Jenkins pipeline automation are affected.

📋 TL;DR

Jervis versions before 2.2 use vulnerable PKCS1Encoding for RSA encryption, making them susceptible to Bleichenbacher padding oracle attacks. This could allow attackers to decrypt sensitive data or forge signatures. Organizations using Jervis for Jenkins pipeline automation are affected.

💻 Affected Systems

Products:

Jervis

Versions: All versions before 2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Jervis for Jenkins pipeline automation with RSA encryption features.

📦 What is this software?

Jervis by Samrocketman

View all CVEs affecting Jervis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt sensitive credentials, tokens, or configuration data stored or transmitted using Jervis's encryption, potentially leading to complete system compromise.

🟠

Likely Case

Attackers could decrypt specific encrypted data elements, potentially exposing pipeline secrets, credentials, or sensitive configuration data.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the specific Jenkins instance using vulnerable Jervis.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Bleichenbacher attacks require the ability to interact with the padding oracle, typically through network access to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2

Vendor Advisory: https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97

Restart Required: Yes

Instructions:

1. Update Jervis to version 2.2 or later. 2. Update Jenkins pipeline libraries using Jervis. 3. Restart Jenkins instances using updated Jervis libraries.

🔧 Temporary Workarounds

Disable RSA encryption in Jervis

all

If RSA encryption features are not required, disable them in Jervis configuration.

# Modify Jervis configuration to disable RSA encryption features
# Check Jervis documentation for specific configuration options

🧯 If You Can't Patch

Isolate Jenkins instances using Jervis behind strict network controls.
Monitor for unusual decryption attempts or padding oracle interactions.

🔍 How to Verify

Check if Vulnerable:

Check Jervis version in Jenkins pipeline libraries or shared library configuration. Versions before 2.2 are vulnerable.

Check Version:

# Check Jervis version in Jenkins pipeline: Review Jenkinsfile and shared library configurations for Jervis version

Verify Fix Applied:

Verify Jervis version is 2.2 or later in Jenkins pipeline configuration and shared libraries.

📡 Detection & Monitoring

Log Indicators:

Unusual RSA decryption attempts
Multiple failed decryption operations with timing patterns characteristic of padding oracle attacks

Network Indicators:

Repeated RSA ciphertext submissions to Jenkins/Jervis endpoints
Unusual traffic patterns to Jenkins pipeline endpoints

SIEM Query:

source="jenkins" AND (event_type="decryption_failure" OR message="padding error")

📊 Metadata

CVE ID: CVE-2025-68698

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: January 13, 2026

Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68698, you might also want to check these: