Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68702

CVE-2025-68702: Samrocketman Jervis Encoding Vulnerability

CVE-2025-68702 is an encoding flaw in Samrocketman Jervis affecting SHA-256 hash processing in versions before 2.2. This article covers the technical details, affected versions, security impact, and mitigation steps.

Updated:

CVE-2025-68702 Overview

CVE-2025-68702 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. Versions prior to 2.2 contain a cryptographic encoding flaw in hex string padding logic. The library calls padLeft(32, '0') when handling SHA-256 output, but SHA-256 produces 32 bytes that require 64 hex characters for full representation. This truncation weakens the integrity guarantees provided by the hash function. The issue is classified as a use of broken or risky cryptographic algorithm [CWE-327] and is fixed in Jervis 2.2.

Critical Impact

Network-reachable attackers can compromise integrity protections in Jenkins pipeline workflows that rely on Jervis hash output, without authentication or user interaction.

Affected Products

  • Samrocketman Jervis versions prior to 2.2
  • Jenkins environments using Jervis for Job DSL plugin scripts
  • Shared Jenkins pipeline libraries built on Jervis

Discovery Timeline

  • 2026-01-13 - CVE-2025-68702 published to NVD
  • 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2025-68702

Vulnerability Analysis

The vulnerability stems from incorrect hex encoding of SHA-256 hash output. SHA-256 produces a 256-bit digest, which equals 32 bytes or 64 hexadecimal characters. Jervis incorrectly pads the hex representation to 32 characters using padLeft(32, '0') instead of 64. This truncates or misaligns the cryptographic output, reducing the effective hash length and weakening collision resistance. The flaw maps to [CWE-327], use of a broken or risky cryptographic algorithm.

Root Cause

The root cause is a developer error in the hex string length parameter. The padLeft function ensures a minimum width when converting byte arrays to hexadecimal strings. Using a width of 32 instead of 64 produces a malformed representation of the SHA-256 digest. Downstream code that compares, stores, or verifies hashes operates on truncated values, allowing collisions or integrity bypasses that should not occur with a properly encoded SHA-256 hash.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. Attackers who can influence inputs processed by Jervis pipelines may craft data that produces collisions against the truncated hash representation. This impacts integrity of pipeline operations that rely on hash-based comparisons or signatures. The vulnerability does not directly affect confidentiality or availability. For technical details, refer to the GitHub Security Advisory GHSA-67rj-pjg6-pq59 and the upstream fix commit.

Detection Methods for CVE-2025-68702

Indicators of Compromise

  • Jervis library files with versions earlier than 2.2 present in Jenkins controller or agent classpaths
  • Pipeline logs showing hash values shorter than 64 hex characters where SHA-256 is expected
  • Unexpected pipeline behavior tied to hash comparison logic in Job DSL scripts

Detection Strategies

  • Inventory Jenkins controllers and shared library repositories for Jervis dependencies and compare versions against 2.2
  • Audit shared pipeline library source code for direct references to padLeft(32, '0') near SHA-256 usage
  • Review software composition analysis (SCA) reports for samrocketman:jervis package versions below 2.2

Monitoring Recommendations

  • Monitor Jenkins build logs for hash comparison failures or duplicate hash collisions in pipeline output
  • Track outbound changes to Jenkins shared library repositories that may attempt to exploit weakened integrity checks
  • Alert on Jenkins plugin or library updates that revert Jervis to versions prior to 2.2

How to Mitigate CVE-2025-68702

Immediate Actions Required

  • Upgrade Jervis to version 2.2 or later across all Jenkins controllers and shared library configurations
  • Rebuild and redeploy any Jenkins pipelines that bundle Jervis as a transitive dependency
  • Revalidate any hash-based integrity decisions made by pipelines that used vulnerable Jervis versions

Patch Information

The maintainer released Jervis 2.2 with the corrected padLeft(64, '0') call for SHA-256 hex encoding. The fix is published in the GitHub commit c3981ff. Administrators should pin the dependency to version 2.2 or newer in Gradle, Maven, or shared library descriptors. Confirm the upgrade by inspecting the resolved artifact version in Jenkins build classpaths.

Workarounds

  • No vendor-supplied workaround is available; upgrading to Jervis 2.2 is the supported remediation
  • As a temporary control, restrict network access to Jenkins controllers using Jervis until the upgrade is applied
  • Disable or quarantine shared library jobs that depend on Jervis hash comparisons until patched
bash
# Configuration example: pin Jervis 2.2 in Gradle dependency block
dependencies {
    implementation 'net.gleske:jervis:2.2'
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.