CVE-2025-53689 – org.apache.jackrabbit:jackrabbit-spi-commons

Package

Manager: maven
Name: org.apache.jackrabbit:jackrabbit-spi-commons
Vulnerable Version: >=2.20.0 <2.20.17 || >=2.22.0 <2.22.1 || >=2.23.0-beta <2.23.2-beta

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16836

Details

Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Metadata

Created: 2025-07-14T12:30:27Z
Modified: 2025-07-14T21:18:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-44c3-38h8-9fh9/GHSA-44c3-38h8-9fh9.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-44c3-38h8-9fh9
Finding: F083
Auto approve: 1