CVE-2025-53689

HIGH

Apache Jackrabbit <2.23.2 - Blind XXE

Title source: llm

Description

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

References (2)

Scores

CVSS v3 8.8
EPSS 0.0007
EPSS Percentile 21.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-611
Status published

Affected Products (6)

apache/jackrabbit < 2.20.17
apache/jackrabbit
apache/jackrabbit
apache/jackrabbit
org.apache.jackrabbit/jackrabbit-spi-commons < 2.20.17Maven
org.apache.jackrabbit/jackrabbit-core < 2.23.2-betaMaven

Timeline

Published Jul 14, 2025
Tracked Since Feb 18, 2026