Headline
GHSA-44c3-38h8-9fh9: Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build
Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-53689
Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build
High severity GitHub Reviewed Published Jul 14, 2025 to the GitHub Advisory Database • Updated Jul 14, 2025
Package
maven org.apache.jackrabbit:jackrabbit-core (Maven)
Affected versions
>= 2.23.0-beta, < 2.23.2-beta
>= 2.20.0, < 2.20.17
>= 2.22.0, < 2.22.1
Patched versions
2.23.2-beta
2.20.17
2.22.1
maven org.apache.jackrabbit:jackrabbit-spi-commons (Maven)
>= 2.20.0, < 2.20.17
>= 2.22.0, < 2.22.1
>= 2.23.0-beta, < 2.23.2-beta
2.20.17
2.22.1
2.23.2-beta
Published to the GitHub Advisory Database
Jul 14, 2025
Last updated
Jul 14, 2025