CVE-2025-68925

low-risk

Published 2026-01-13

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Jervis

Affected Vendors

Samrocketman

References (2)

Patch https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a...

Vendor Advisory https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal