Apache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactory
Description
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.
This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.
Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deserialization vulnerability in Apache Jackrabbit allows arbitrary code execution via untrusted JNDI URIs; fixed in 2.22.2 by disabling JNDI lookup by default.
CVE-2025-58782 is a deserialization of untrusted data vulnerability in Apache Jackrabbit Core and JCR Commons, affecting versions 1.0.0 through 2.22.1 [1]. The root cause is that JndiRepositoryFactory accepts JNDI URIs without proper validation, allowing injection of malicious references [4].
An attacker can exploit this by providing a crafted JNDI URI to a vulnerable application, which when processed leads to deserialization of attacker-controlled data [1]. This can result in arbitrary code execution on the server [4]. The attack requires the application to accept JNDI URIs from untrusted users [1].
The impact is critical, as successful exploitation allows remote code execution, compromising the confidentiality, integrity, and availability of the system [1].
The vulnerability is fixed in version 2.22.2, where JNDI lookup is disabled by default [2]. Users are advised to upgrade immediately and, if JNDI lookup is required, to enable it explicitly and review their use of JNDI URIs [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jackrabbit:jackrabbit-coreMaven | >= 1.0.0, < 2.22.2 | 2.22.2 |
org.apache.jackrabbit:jackrabbit-jcr-commonsMaven | >= 1.0.0, < 2.22.2 | 2.22.2 |
Affected products
4- Range: >=1.0.0 <=2.22.1
- Range: >=1.0.0 <=2.22.1
- Apache Software Foundation/Apache Jackrabbit Corev5Range: 1.0.0
- Apache Software Foundation/Apache Jackrabbit JCR Commonsv5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cxvc-g8f2-4gmmghsaADVISORY
- lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6vghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-58782ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/06/3ghsaWEB
- github.com/apache/jackrabbit/pull/229ghsaWEB
- issues.apache.org/jira/browse/JCR-5135ghsaWEB
News mentions
0No linked articles in our index yet.