CVE-2025-53689: Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build

July 14, 2025

Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

References

github.com/advisories/GHSA-44c3-38h8-9fh9
github.com/apache/jackrabbit
github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
nvd.nist.gov/vuln/detail/CVE-2025-53689

Code Behaviors & Features

Detect and mitigate CVE-2025-53689 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →