CVE-2025-53689

Summary

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Jackrabbit2.20.0 < 2.20.17affected
Apache Software FoundationApache Jackrabbit2.22.0 < 2.22.1affected
Apache Software FoundationApache Jackrabbit2.23.0-beta < 2.23.2-betaaffected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References