Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
Description
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Jackrabbit before 2.23.2 contains blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core due to an unsecured document builder, allowing data exfiltration.
Vulnerability
Overview CVE-2025-53689 describes blind XML External Entity (XXE) vulnerabilities in the Apache Jackrabbit content repository implementation. The flaws reside in the jackrabbit-spi-commons and jackrabbit-core components, specifically where an unsecured DocumentBuilder is used to parse XML input when loading privileges [1][4]. The root cause is the lack of external entity expansion restrictions during XML processing, allowing an attacker to inject malicious DOCTYPE declarations [2].
Exploitation
Conditions Exploitation requires the attacker to supply crafted XML data to a vulnerable Jackrabbit instance. This can be achieved over the network without authentication if the affected service exposes endpoints that parse XML (e.g., privilege loading). Because the vulnerability is blind XXE, the attacker may not receive direct responses but can still exfiltrate data out-of-band through external connections, such as HTTP requests to an attacker-controlled server [1][2][4]. The fix ensures the DocumentBuilderFactory is properly secured by disabling external entity processing and DTDs (e.g., setting XMLConstants.ACCESS_EXTERNAL_DTD and FEATURE_SECURE_PROCESSING) [2].
Attacker
Gains A successful blind XXE attack can lead to disclosure of sensitive files from the Jackrabbit server filesystem, including configuration files containing credentials. In some scenarios, the attacker may also be able to perform Server-Side Request Forgery (SSRF) by making the vulnerable server issue requests to internal network resources [1][4]. The complete impact includes potential unauthorized access to backend systems and data exfiltration.
Mitigation
Apache has released fixed versions: Jackrabbit 2.20.17 (Java 8), 2.22.1 (Java 11), and 2.23.2 (Java 11, beta). Users running any earlier version—even those beyond official support (2.20.16 and older)—must upgrade to these patched releases to mitigate the risk [1][4]. No workarounds have been documented; applying the update is the only recommended course of action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jackrabbit:jackrabbit-spi-commonsMaven | >= 2.20.0, < 2.20.17 | 2.20.17 |
org.apache.jackrabbit:jackrabbit-spi-commonsMaven | >= 2.22.0, < 2.22.1 | 2.22.1 |
org.apache.jackrabbit:jackrabbit-spi-commonsMaven | >= 2.23.0-beta, < 2.23.2-beta | 2.23.2-beta |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.23.0-beta, < 2.23.2-beta | 2.23.2-beta |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.20.0, < 2.20.17 | 2.20.17 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.22.0, < 2.22.1 | 2.22.1 |
Affected products
2- Range: <2.23.2
- Apache Software Foundation/Apache Jackrabbitv5Range: 2.20.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-44c3-38h8-9fh9ghsaADVISORY
- lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-53689ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/07/14/1ghsaWEB
- github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294eghsaWEB
News mentions
0No linked articles in our index yet.