CVE-2025-58782

CWE-502Deserialization of Untrusted Data7 documents6 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 32.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache JackrabbitApache Software Foundation Apache Jackrabbit CoreApache Software Foundation Apache Jackrabbit JCR Commons
Timeline
PublishedSep 8

Description

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

NVDapache/jackrabbit1.0.02.22.2

🔴Vulnerability Details

4
GHSA
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data2025-09-08
CVEList
Apache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactory2025-09-08
OSV
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data2025-09-08
OSV
CVE-2025-58782: Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons2025-09-08

📋Vendor Advisories

2
Red Hat
org.apache.jackrabbit/jackrabbit-core: org.apache.jackrabbit/jackrabbit-jcr-commons: Apache Jackrabbit JNDI injection2025-09-08
Debian
CVE-2025-58782: jackrabbit - Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Ap...2025
CVE-2025-58782 (MEDIUM CVSS 6.5) | Deserialization of Untrusted Data v | cvebase.io