CVE-2025-58782

EUVD-2025-27118

08.09.2025, 09:15

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Affected Products (NVD)

Vendor	Product	Version
apache	jackrabbit	1.0.0 ≤ 𝑥 < 2.22.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jackrabbit

bookworm	no-dsa
bullseye	postponed
forky	vulnerable
sid	vulnerable
trixie	no-dsa

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v

http://www.openwall.com/lists/oss-security/2025/09/06/3