CVE-2025-68701: Jervis has Deterministic AES IV Derivation from Passphrase
(updated )
Severity is considered low for internal uses of this library but if there’s any consumer using these methods directly then this is considered high.
Significant reduction in the security of the encryption scheme. Pattern analysis becomes possible.
References
- github.com/advisories/GHSA-crxp-chh4-9ghp
- github.com/samrocketman/jervis
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp
- nvd.nist.gov/vuln/detail/CVE-2025-68701
Code Behaviors & Features
Detect and mitigate CVE-2025-68701 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →