[oss-security] CVE-2025-53689: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

Julian Reschke Mon, 14 Jul 2025 02:12:42 -0700

Severity: critical 

Affected versions:


- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.20.0 
before 2.20.17
- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.22.0 
before 2.22.1
- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.23.0-beta 
before 2.23.2-beta

Description:

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in 
Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load 
privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) 
or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up 
to 2.20.16) are not supported anymore, thus users should update to the 
respective supported version.

Credit:

Lars Krapf - Adobe (reporter)
Dylan Pindur - Assetnote (finder)
Adam Kues - Assetnote (finder)

References:

https://jackrabbit.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-53689

[oss-security] CVE-2025-53689: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

Reply via email to