CVE-2025-53689

CWE-611 — XML External Entity (XXE)7 documents6 sources

Severity

8.8HIGH

EPSS

0.1%

top 76.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Jackrabbit Apache Jackrabbit

Timeline

PublishedJul 14

Description

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶Mavenorg.apache.jackrabbit:jackrabbit-core2.23.0-beta — 2.23.2-beta+2

▶Mavenorg.apache.jackrabbit:jackrabbit-spi-commons2.20.0 — 2.20.17+2

▶NVDapache/jackrabbit2.20.0 — 2.20.17+3

▶CVEListV5apache_software_foundation/apache_jackrabbit2.20.0 — 2.20.17+2

▶Debianjackrabbit< 2.20.11-1.1+1

🔴Vulnerability Details

GHSA

Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build↗2025-07-14

▶

OSV

CVE-2025-53689: Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2↗2025-07-14

▶

CVEList

Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons↗2025-07-14

▶

OSV

Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build↗2025-07-14

▶

📋Vendor Advisories

Red Hat

jackrabbit-spi-commons: jackrabbit-core: Apache Jackrabbit XXE vulnerability↗2025-07-14

▶

Debian

CVE-2025-53689: jackrabbit - Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apach...↗2025

▶