GHSA-5pq9-5mpr-jj85
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5pq9-5mpr-jj85
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-5pq9-5mpr-jj85/GHSA-5pq9-5mpr-jj85.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5pq9-5mpr-jj85
- Aliases
- Published
- 2026-01-13T14:56:04Z
- Modified
- 2026-01-13T21:56:37.608670Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Jervis Has a JWT Algorithm Confusion Vulnerability
- Details
-
Vulnerability
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249
The code doesn't validate that the JWT header specifies
"alg":"RS256".Impact
Depending on the broader system, this could allow JWT forgery.
Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.
Patches
Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.
Upgrade to Jervis 2.2.
Workarounds
External users should consider using an alternate JWT library or upgrade.
References
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-13T14:56:04Z", "severity": "MODERATE", "nvd_published_at": "2026-01-13T20:16:07Z", "cwe_ids": [ "CWE-347" ] }- References
-
- https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85
- https://nvd.nist.gov/vuln/detail/CVE-2025-68925
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Affected packages
Maven / net.gleske:jervis
Package
- Name
- net.gleske:jervis
- View open source insights on deps.dev
- Purl
- pkg:maven/net.gleske/jervis
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2