CVE-2025-53689

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

References

Affected packages

Git / github.com/apache/jackrabbit

Affected ranges

Type

GIT

Repo

https://github.com/apache/jackrabbit

Events

Introduced

f2edaae265bb3a11f51de4c2b8aed3ecd2d2f290

Fixed

c54a39af0728641c6ff79b69e66a157b536d66e6

Introduced

Last affected

66c73133c8b8a1fc374251ceab692f1d9b59225d

Introduced

Last affected

b94047fcda958c3c009703bc09b012898a826e0d

Introduced

Last affected

cae1e7851c99599547d5af992ea56357f50d05a2

Database specific

{
    "versions": [
        {
            "introduced": "2.20.0"
        },
        {
            "fixed": "2.20.17"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.22.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.23.0-beta"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.23.1-beta"
        }
    ]
}

Affected versions

jackrabbit-2.*

jackrabbit-2.20.14

jackrabbit-2.20.15

jackrabbit-2.20.16

jackrabbit-2.21.22

jackrabbit-2.21.23

jackrabbit-2.21.24

jackrabbit-2.21.25

jackrabbit-2.21.26-beta

jackrabbit-2.21.27-beta

jackrabbit-2.22.0

jackrabbit-2.23.0-beta

jackrabbit-2.23.1-beta

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53689.json"