Deserialization Vulnerability in Apache Jackrabbit Core and JCR Commons
CVE-2025-58782

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Jackrabbit Core; Apache Jackrabbit Jcr Commons
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-58782?

A deserialization of untrusted data vulnerability exists in both Apache Jackrabbit Core and JCR Commons, affecting versions from 1.0.0 through 2.22.1. Deployments that process JNDI URIs for JCR lookup from untrusted users are susceptible to malicious JNDI references. This security flaw can enable attackers to execute arbitrary code through unsafe data deserialization. Users are advised to upgrade to version 2.22.2, where JNDI lookup capability has been disabled by default. Users leveraging this feature are encouraged to assess their use of JNDI URIs for JCR lookup.

Affected Version(s)

Apache Jackrabbit Core 1.0.0 <= 2.22.1

Apache Jackrabbit JCR Commons 1.0.0 <= 2.22.1

References

https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9w...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

James John

JSON