CVE-2025-68931 – CVE-2025-68931 is a cryptographic vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-68931?

CVE-2025-68931 has a CVSS score of 7.5 (HIGH). CVE-2025-68931 is a cryptographic vulnerability in Jervis library versions before 2.2 where AES/CBC/PKCS5Padding lacks authentication, enabling padding oracle attacks and ciphertext manipulation. This allows attackers to decrypt or tamper with encrypted data without knowing the encryption key. Organizations using vulnerable Jervis versions in Jenkins pipeline libraries are affected.

📋 TL;DR

CVE-2025-68931 is a cryptographic vulnerability in Jervis library versions before 2.2 where AES/CBC/PKCS5Padding lacks authentication, enabling padding oracle attacks and ciphertext manipulation. This allows attackers to decrypt or tamper with encrypted data without knowing the encryption key. Organizations using vulnerable Jervis versions in Jenkins pipeline libraries are affected.

💻 Affected Systems

Products:

Jervis (Jenkins pipeline library)

Versions: All versions before 2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Jervis library for encryption with AES/CBC/PKCS5Padding; Jenkins installations without Jervis are not vulnerable.

📦 What is this software?

Jervis by Samrocketman

View all CVEs affecting Jervis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted secrets and pipeline configurations, leading to unauthorized code execution, credential theft, and supply chain attacks on Jenkins infrastructure.

🟠

Likely Case

Decryption of sensitive pipeline secrets (API keys, passwords, tokens) and manipulation of pipeline logic to execute malicious code in Jenkins jobs.

🟢

If Mitigated

Limited impact if encryption is used only for non-sensitive data or if network isolation prevents attacker access to padding oracle responses.

🌐 Internet-Facing: MEDIUM - Requires network access to padding oracle responses; Jenkins instances exposed to internet with vulnerable Jervis libraries could be exploited.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this if they can interact with the vulnerable encryption endpoints.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to interact with padding oracle (typically via network requests) and knowledge of cryptographic attack techniques; no public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2

Vendor Advisory: https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj

Restart Required: No

Instructions:

1. Update Jervis library to version 2.2 or later. 2. Update Jenkins pipeline scripts to reference the new version. 3. Test pipeline functionality after update.

🔧 Temporary Workarounds

Disable vulnerable encryption usage

all

Temporarily stop using Jervis encryption functions until patched

Modify Jenkins pipeline scripts to remove or replace Jervis encryption calls

Network isolation

all

Restrict network access to Jenkins instances using Jervis

Configure firewall rules to limit access to Jenkins ports (typically 8080/8443)

🧯 If You Can't Patch

Implement network segmentation to isolate Jenkins instances from untrusted networks
Monitor for unusual pipeline execution patterns and encryption-related errors in logs

🔍 How to Verify

Check if Vulnerable:

Check Jervis version in Jenkins pipeline libraries; versions below 2.2 are vulnerable.

Check Version:

grep -r 'jervis' Jenkinsfile or check Jenkins plugin/library manager for version

Verify Fix Applied:

Confirm Jervis version is 2.2 or higher in pipeline library configuration.

📡 Detection & Monitoring

Log Indicators:

Multiple failed decryption attempts with padding errors
Unusual pipeline execution patterns

Network Indicators:

High volume of requests to encryption/decryption endpoints with varying ciphertexts

SIEM Query:

source="jenkins.log" AND ("padding error" OR "decryption failed")

📊 Metadata

CVE ID: CVE-2025-68931

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-287

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: January 13, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a Patch
https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68931, you might also want to check these: