CVE-2025-53689

CVE-2025-53689: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

Vendor Apache Software Foundation

Product Apache Jackrabbit

Weakness CWE-611 · XXE

Published July 14, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Key dates

Disclosure timeline

July 14, 2025 CVE published

November 4, 2025 Record updated

Identifiers

CVE CVE-2025-53689

CWE CWE-611

Affected versions

Vendor Apache Software Foundation

Product Apache Jackrabbit

Affected ≥ 2.20.0 and < 2.20.17

Vendor Apache Software Foundation

Product Apache Jackrabbit

Affected ≥ 2.22.0 and < 2.22.1

Vendor Apache Software Foundation

Product Apache Jackrabbit

Affected ≥ 2.23.0-beta and < 2.23.2-beta