CVE-2025-53689

Source
https://cve.org/CVERecord?id=CVE-2025-53689
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53689.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-53689
Aliases
Downstream
Published
2025-07-14T09:15:38.863Z
Modified
2026-07-15T02:15:39.324852798Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
Details

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Database specific
{
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-611"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.20.0"
                },
                {
                    "fixed": "2.20.17"
                },
                {
                    "introduced": "2.22.0"
                },
                {
                    "fixed": "2.22.1"
                },
                {
                    "introduced": "2.23.0-beta"
                },
                {
                    "fixed": "2.23.2-beta"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53689.json"
}
References

Affected packages

Git / github.com/apache/jackrabbit

Affected ranges

Type
GIT
Repo
https://github.com/apache/jackrabbit
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:jackrabbit:2.22.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:jackrabbit:2.23.0:beta:*:*:*:*:*:*",
        "cpe:2.3:a:apache:jackrabbit:2.23.1:beta:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "2.20.0"
        },
        {
            "fixed": "2.20.17"
        },
        {
            "introduced": "2.22.0"
        },
        {
            "last_affected": "2.22.0"
        },
        {
            "introduced": "2.23.0-beta"
        },
        {
            "last_affected": "2.23.0-beta"
        },
        {
            "introduced": "2.23.1-beta"
        },
        {
            "last_affected": "2.23.1-beta"
        }
    ]
}

Affected versions

2.*
2.22.0
2.23.0-beta
2.23.1-beta

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53689.json"