CVE-2025-68703 – This vulnerability in Jervis (a library for Jen... (How to Fix)

📋 TL;DR

This vulnerability in Jervis (a library for Jenkins pipeline scripts) uses a weak key derivation method where the same password always produces the same encryption key. This allows attackers who obtain encrypted data to potentially decrypt it if they can guess or brute-force the password. Anyone using Jervis versions before 2.2 for encrypting sensitive pipeline data is affected.

💻 Affected Systems

Products:

Jervis (Jenkins Job DSL/pipeline library)

Versions: All versions before 2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jervis installations using its encryption functionality for pipeline secrets.

📦 What is this software?

Jervis by Samrocketman

View all CVEs affecting Jervis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers decrypt all encrypted pipeline secrets, gaining access to credentials, API keys, and sensitive configuration data stored in Jenkins pipelines.

🟠

Likely Case

Attackers with access to encrypted artifacts or configuration files can perform offline brute-force attacks to recover passwords and access some pipeline secrets.

🟢

If Mitigated

With strong, unique passwords and limited access to encrypted artifacts, impact is reduced to theoretical risk with minimal practical exposure.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to encrypted data and ability to perform password guessing/brute-force attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2

Vendor Advisory: https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34

Restart Required: No

Instructions:

1. Update Jervis to version 2.2 or later
2. Re-encrypt any secrets using the updated version
3. Rotate any potentially compromised credentials

🔧 Temporary Workarounds

Use external secret management

all

Store pipeline secrets in Jenkins Credentials Plugin or external secret managers instead of Jervis encryption

Implement strong password policies

all

Use long, complex, unique passwords for Jervis encryption to make brute-force attacks impractical

🧯 If You Can't Patch

Rotate all secrets encrypted with vulnerable Jervis versions immediately
Restrict access to encrypted artifacts and configuration files containing Jervis-encrypted data

🔍 How to Verify

Check if Vulnerable:

Check Jervis version in Jenkins pipeline scripts or shared library configuration. Versions before 2.2 are vulnerable.

Check Version:

Check Jenkins pipeline scripts or shared library configuration for Jervis version specification

Verify Fix Applied:

Confirm Jervis version is 2.2 or later and verify encryption operations now use proper key derivation with unique salts.

📡 Detection & Monitoring

Log Indicators:

Failed decryption attempts
Multiple encryption operations with same parameters

Network Indicators:

Unusual access patterns to Jenkins artifacts containing encrypted data

SIEM Query:

Search for Jervis library usage with version <2.2 in Jenkins configuration or pipeline scripts

📊 Metadata

CVE ID: CVE-2025-68703

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: January 13, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a Patch
https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68703, you might also want to check these: