CVE-2025-53689

HIGH8.8EPSS 0.21%

Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build

Published: 7/14/2025Modified: 4/28/2026

Description

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Affected packages (3)

Debian/jackrabbitfrom 0
Maven/org.apache.jackrabbit:jackrabbit-core>= 2.23.0-beta, < 2.23.2-beta
Maven/org.apache.jackrabbit:jackrabbit-spi-commons>= 2.20.0, < 2.20.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53689
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-53689
PATCHhttps://github.com/apache/jackrabbit
WEBhttps://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
WEBhttps://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
WEBhttp://www.openwall.com/lists/oss-security/2025/07/14/1