CVE-2025-53689

HIGH

Apache Jackrabbit <2.23.2 - Blind XXE

Title source: llm

Description

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

References (2)

[Vendor Advisory] https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24

[Mailing List] http://www.openwall.com/lists/oss-security/2025/07/14/1

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 23.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-611

Status published

Products (6)

apache/jackrabbit 2.22.0

apache/jackrabbit 2.23.0 beta

apache/jackrabbit 2.23.1 beta

apache/jackrabbit 2.20.0 - 2.20.17

org.apache.jackrabbit/jackrabbit-core 2.23.0-beta - 2.23.2-betaMaven

org.apache.jackrabbit/jackrabbit-spi-commons 2.20.0 - 2.20.17Maven

Published Jul 14, 2025

Tracked Since Feb 18, 2026