Blind XXE in Apache Jackrabbit SPI-Commons/Core <2.23.2
CVE-2025-53689 Published on July 14, 2025
Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Vulnerability Analysis
CVE-2025-53689 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2025-53689 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2025-53689
Want to know whenever a new CVE is published for Apache Jackrabbit? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Jackrabbit:- Version 2.20.0 and below 2.20.17 is affected.
- Version 2.22.0 and below 2.22.1 is affected.
- Version 2.23.0-beta and below 2.23.2-beta is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.