CVE-2025-53689

NameCVE-2025-53689
DescriptionBlind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109335

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackrabbit (PTS)bullseye2.18.0+r2.14.6-1vulnerable
bookworm2.20.3-1vulnerable
forky, sid, trixie2.20.11-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackrabbitsource(unstable)2.20.11-1.1unimportant1109335

Notes

https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
https://issues.apache.org/jira/browse/JCR-5165
https://github.com/apache/jackrabbit/pull/263
https://github.com/apache/jackrabbit/commit/1d6cb3d0fcc8d51980b90ddcf94122d3e4add83e (jackrabbit-2.20.17)
Vulnerable classes are not in the binary package.
Search for package or bug name: Reporting problems