oss-sec mailing list archives

CVE-2025-53689: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

From: Julian Reschke <reschke () apache org>
Date: Mon, 14 Jul 2025 09:11:41 +0000

Severity: critical 

Affected versions:

- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.20.0 before 2.20.17
- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.22.0 before 2.22.1
- Apache Jackrabbit (org.apache.jackrabbit:jackrabbit-spi-commons) 2.23.0-beta before 2.23.2-beta

Description:

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of 
an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), 
which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the 
respective supported version.

Credit:

Lars Krapf - Adobe (reporter)
Dylan Pindur - Assetnote (finder)
Adam Kues - Assetnote (finder)

References:

https://jackrabbit.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-53689

Current thread:

CVE-2025-53689: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons Julian Reschke (Jul 14)