// For flags

CVE-2025-53689

Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Vulnerabilidades Blind XXE en jackrabbit-spi-commons y jackrabbit-core en Apache Jackrabbit anterior a la versión 2.23.2 debido al uso de una compilación de documento no segura para cargar privilegios. Se recomienda a los usuarios actualizar a las versiones 2.20.17 (Java 8), 2.22.1 (Java 11) o 2.23.2 (Java 11, versiones beta), que solucionan este problema. Las versiones anteriores (hasta la 2.20.16) ya no son compatibles, por lo que los usuarios deben actualizar a la versión compatible correspondiente.

*Credits: Lars Krapf - Adobe, Dylan Pindur - Assetnote, Adam Kues - Assetnote
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-07-08 CVE Reserved
  • 2025-07-14 CVE Published
  • 2025-07-14 CVE Updated
  • 2025-08-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24 2025-07-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Jackrabbit
Search vendor "Apache Software Foundation" for product "Apache Jackrabbit"
 >= 2.20.0 < 2.20.17
Search vendor "Apache Software Foundation" for product "Apache Jackrabbit" and version " >= 2.20.0 < 2.20.17"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Jackrabbit
Search vendor "Apache Software Foundation" for product "Apache Jackrabbit"
 >= 2.22.0 < 2.22.1
Search vendor "Apache Software Foundation" for product "Apache Jackrabbit" and version " >= 2.22.0 < 2.22.1"
en
Affected