CVE-2025-68698: Jervis Has a RSA PKCS#1 Padding Vulnerability
(updated )
Severity is considered low for internal uses of this library but if there’s any consumer using these methods directly then this is considered critical.
An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.
Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less.
References
- github.com/advisories/GHSA-mqw7-c5gg-xq97
- github.com/samrocketman/jervis
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97
- nvd.nist.gov/vuln/detail/CVE-2025-68698
Code Behaviors & Features
Detect and mitigate CVE-2025-68698 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →