CVE-2025-68702: Jervis Has a SHA-256 Hex String Padding Bug
(updated )
- Inconsistent hash lengths when leading bytes are zero
- Comparison failures for hashes with leading zeros
- Potential security issues in hash-based comparisons
- Could cause subtle bugs in systems relying on consistent hash lengths
Severity is considered low for internal uses of this library but if there’s any consumer using these methods directly then this is considered high.
References
- github.com/advisories/GHSA-67rj-pjg6-pq59
- github.com/samrocketman/jervis
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59
- nvd.nist.gov/vuln/detail/CVE-2025-68702
Code Behaviors & Features
Detect and mitigate CVE-2025-68702 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →