CVE-2025-53689

NameCVE-2025-53689
DescriptionBlind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109335

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackrabbit (PTS)bullseye2.18.0+r2.14.6-1vulnerable
bookworm2.20.3-1vulnerable
sid, trixie2.20.11-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackrabbitsource(unstable)(unfixed)1109335

Notes

https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
https://issues.apache.org/jira/browse/JCR-5165
https://github.com/apache/jackrabbit/pull/263
https://github.com/apache/jackrabbit/commit/1d6cb3d0fcc8d51980b90ddcf94122d3e4add83e (jackrabbit-2.20.17)
Search for package or bug name: Reporting problems