CVE-2025-68925 – Jervis versions before 2.2 fail to validate JWT... (How to Fix)

Q: What is the severity of CVE-2025-68925?

CVE-2025-68925 has a CVSS score of 5.3 (MEDIUM). Jervis versions before 2.2 fail to validate JWT algorithm headers, allowing attackers to forge tokens using weaker algorithms like 'none' or HMAC. This affects Jenkins pipeline users who rely on Jervis for Job DSL plugin scripts and shared libraries. Attackers could bypass authentication or authorization controls.

📋 TL;DR

Jervis versions before 2.2 fail to validate JWT algorithm headers, allowing attackers to forge tokens using weaker algorithms like 'none' or HMAC. This affects Jenkins pipeline users who rely on Jervis for Job DSL plugin scripts and shared libraries. Attackers could bypass authentication or authorization controls.

💻 Affected Systems

Products:

Jervis

Versions: All versions before 2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances using Jervis library for pipeline definitions.

📦 What is this software?

Jervis by Samrocketman

View all CVEs affecting Jervis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Jenkins pipeline compromise allowing unauthorized job execution, credential theft, and lateral movement within CI/CD infrastructure.

🟠

Likely Case

Unauthorized access to Jenkins jobs and pipelines, potentially modifying build processes or accessing sensitive build artifacts.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal Jenkins privileges, though authentication bypass remains possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to generate JWTs and knowledge of Jervis usage in target Jenkins instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2

Vendor Advisory: https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85

Restart Required: Yes

Instructions:

1. Update Jervis library to version 2.2 or later
2. Restart Jenkins service
3. Verify JWT validation is now enforced

🔧 Temporary Workarounds

Disable Jervis usage

all

Temporarily stop using Jervis library in Jenkins pipelines

Remove or comment out Jervis imports from Jenkinsfiles

🧯 If You Can't Patch

Implement strict network controls to limit Jenkins API access
Monitor for unusual JWT usage patterns in Jenkins logs

🔍 How to Verify

Check if Vulnerable:

Check Jervis version in Jenkins plugin manager or pipeline libraries configuration

Check Version:

Check Jenkins plugin manager or review pipeline library configuration files

Verify Fix Applied:

Attempt to use JWT with 'alg':'none' header - should be rejected in version 2.2+

📡 Detection & Monitoring

Log Indicators:

Failed JWT validation attempts
Unusual pipeline execution patterns
Authentication events with unexpected JWT algorithms

Network Indicators:

Unusual API calls to Jenkins from unexpected sources
JWT tokens with 'alg':'none' in headers

SIEM Query:

source="jenkins.log" AND ("JWT validation failed" OR "invalid algorithm" OR "alg: none")

📊 Metadata

CVE ID: CVE-2025-68925

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-347

EPSS Score: 0.02% exploit probability (4.2th percentile)

Published: January 13, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a Patch
https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85 Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68925, you might also want to check these: