CVE-2025-68702 Overview
CVE-2025-68702 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. Versions prior to 2.2 contain a cryptographic encoding flaw in hex string padding logic. The library calls padLeft(32, '0') when handling SHA-256 output, but SHA-256 produces 32 bytes that require 64 hex characters for full representation. This truncation weakens the integrity guarantees provided by the hash function. The issue is classified as a use of broken or risky cryptographic algorithm [CWE-327] and is fixed in Jervis 2.2.
Critical Impact
Network-reachable attackers can compromise integrity protections in Jenkins pipeline workflows that rely on Jervis hash output, without authentication or user interaction.
Affected Products
- Samrocketman Jervis versions prior to 2.2
- Jenkins environments using Jervis for Job DSL plugin scripts
- Shared Jenkins pipeline libraries built on Jervis
Discovery Timeline
- 2026-01-13 - CVE-2025-68702 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-68702
Vulnerability Analysis
The vulnerability stems from incorrect hex encoding of SHA-256 hash output. SHA-256 produces a 256-bit digest, which equals 32 bytes or 64 hexadecimal characters. Jervis incorrectly pads the hex representation to 32 characters using padLeft(32, '0') instead of 64. This truncates or misaligns the cryptographic output, reducing the effective hash length and weakening collision resistance. The flaw maps to [CWE-327], use of a broken or risky cryptographic algorithm.
Root Cause
The root cause is a developer error in the hex string length parameter. The padLeft function ensures a minimum width when converting byte arrays to hexadecimal strings. Using a width of 32 instead of 64 produces a malformed representation of the SHA-256 digest. Downstream code that compares, stores, or verifies hashes operates on truncated values, allowing collisions or integrity bypasses that should not occur with a properly encoded SHA-256 hash.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. Attackers who can influence inputs processed by Jervis pipelines may craft data that produces collisions against the truncated hash representation. This impacts integrity of pipeline operations that rely on hash-based comparisons or signatures. The vulnerability does not directly affect confidentiality or availability. For technical details, refer to the GitHub Security Advisory GHSA-67rj-pjg6-pq59 and the upstream fix commit.
Detection Methods for CVE-2025-68702
Indicators of Compromise
- Jervis library files with versions earlier than 2.2 present in Jenkins controller or agent classpaths
- Pipeline logs showing hash values shorter than 64 hex characters where SHA-256 is expected
- Unexpected pipeline behavior tied to hash comparison logic in Job DSL scripts
Detection Strategies
- Inventory Jenkins controllers and shared library repositories for Jervis dependencies and compare versions against 2.2
- Audit shared pipeline library source code for direct references to padLeft(32, '0') near SHA-256 usage
- Review software composition analysis (SCA) reports for samrocketman:jervis package versions below 2.2
Monitoring Recommendations
- Monitor Jenkins build logs for hash comparison failures or duplicate hash collisions in pipeline output
- Track outbound changes to Jenkins shared library repositories that may attempt to exploit weakened integrity checks
- Alert on Jenkins plugin or library updates that revert Jervis to versions prior to 2.2
How to Mitigate CVE-2025-68702
Immediate Actions Required
- Upgrade Jervis to version 2.2 or later across all Jenkins controllers and shared library configurations
- Rebuild and redeploy any Jenkins pipelines that bundle Jervis as a transitive dependency
- Revalidate any hash-based integrity decisions made by pipelines that used vulnerable Jervis versions
Patch Information
The maintainer released Jervis 2.2 with the corrected padLeft(64, '0') call for SHA-256 hex encoding. The fix is published in the GitHub commit c3981ff. Administrators should pin the dependency to version 2.2 or newer in Gradle, Maven, or shared library descriptors. Confirm the upgrade by inspecting the resolved artifact version in Jenkins build classpaths.
Workarounds
- No vendor-supplied workaround is available; upgrading to Jervis 2.2 is the supported remediation
- As a temporary control, restrict network access to Jenkins controllers using Jervis until the upgrade is applied
- Disable or quarantine shared library jobs that depend on Jervis hash comparisons until patched
# Configuration example: pin Jervis 2.2 in Gradle dependency block
dependencies {
implementation 'net.gleske:jervis:2.2'
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

