#web

## Impact The Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. ## Patches This issue has been patched in version 2.2.0. Users are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching. ## Workarounds Users unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include: - Adding authentication mechanisms such as shared s...

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684 https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722 `AES/CBC/PKCS5Padding` lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. ### Impact Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical. Unlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis. Jervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web. After asymmetric decryption and before symmetric decryption, a SHA-256 checksum is performed on the metadata and encrypted data. A...

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249 The code doesn't validate that the JWT header specifies `"alg":"RS256"`. ### Impact Depending on the broader system, this could allow JWT forgery. Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate. ### Patches Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure. Upgrade to Jervis 2.2. ### Workarounds External users should consider using an alternate JWT library or upgrade. ### References - [RFC 7518: JSON Web Algorithms](https://datatracker.ietf.org/doc/html/rfc7518)

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594 Uses `java.util.Random()` which is not cryptographically secure. ### Impact If an attacker can predict the random delays, they may still be able to perform timing attacks. ### Patches Jervis will use `SecureRandom` for timing randomization. Upgrade to Jervis 2.2. ### Workarounds None ### References - [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870 https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895 The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. ### Impact Pre-computation attacks. Severity is considered low for internal uses of this library and high for consumers of this library. ### Patches Jervis will generate a random salt for each password and store it alongside the ciphertext. Upgrade to Jervis 2.2. ### Workarounds None ### References - [NIST SP 800-132: Password-Based Key Derivation](https://csrc.nist.gov/publications/detail/sp/800-132/final)

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626 `padLeft(32, '0')` should be `padLeft(64, '0')`. SHA-256 produces 32 bytes = 64 hex characters. ### Impact * Inconsistent hash lengths when leading bytes are zero * Comparison failures for hashes with leading zeros * Potential security issues in hash-based comparisons * Could cause subtle bugs in systems relying on consistent hash lengths Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high. ### Patches Upgrade to Jervis 2.2. ### Workarounds Use an alternate SHA-256 hash function or upgrade.

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874 https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900 Same passphrase + same plaintext = same ciphertext (IV reuse) ### Impact Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high. Significant reduction in the security of the encryption scheme. Pattern analysis becomes possible. ### Patches Random IV will be generated and prepended to the ciphertext. Upgrade to Jervis 2.2. ### Workarounds None

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465 https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497 Uses `PKCS1Encoding` which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). ### Impact Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical. An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key. Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less. ### Pat...

Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.

AI agents are no longer just writing code. They are executing it. Tools like Copilot, Claude Code, and Codex can now build, test, and deploy software end-to-end in minutes. That speed is reshaping engineering—but it’s also creating a security gap most teams don’t see until something breaks. Behind every agentic workflow sits a layer few organizations are actively securing: Machine Control