GHSA-5PQ9-5MPR-JJ85

Vulnerability from github – Published: 2026-01-13 14:56 – Updated: 2026-01-21 16:23
VLAI
Summary
Jervis Has a JWT Algorithm Confusion Vulnerability
Details

Vulnerability

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249

The code doesn't validate that the JWT header specifies "alg":"RS256".

Impact

Depending on the broader system, this could allow JWT forgery.

Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.

Patches

Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.

Upgrade to Jervis 2.2.

Workarounds

External users should consider using an alternate JWT library or upgrade.

References

Severity
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "net.gleske:jervis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T14:56:04Z",
    "nvd_published_at": "2026-01-13T20:16:07Z",
    "severity": "MODERATE"
  },
  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249\n\nThe code doesn\u0027t validate that the JWT header specifies `\"alg\":\"RS256\"`.\n\n### Impact\n\nDepending on the broader system, this could allow JWT forgery.\n\nInternally this severity is low since JWT is only intended to interface with GitHub.  External users should consider severity moderate.\n\n### Patches\n\nJervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nExternal users should consider using an alternate JWT library or upgrade.\n\n### References\n\n- [RFC 7518: JSON Web Algorithms](https://datatracker.ietf.org/doc/html/rfc7518)",
  "id": "GHSA-5pq9-5mpr-jj85",
  "modified": "2026-01-21T16:23:33Z",
  "published": "2026-01-13T14:56:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samrocketman/jervis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249"
    },
    {
      "type": "WEB",
      "url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jervis Has a JWT Algorithm Confusion Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.