CVE-2025-58782

Published: Sep 8, 2025

Modified: Nov 4, 2025

PUBLISHED

Description

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

Vendor	Product	Versions
Apache Software Foundation	Apache Jackrabbit Core	affected `1.0.0 - <= 2.22.1`
Apache Software Foundation	Apache Jackrabbit JCR Commons	affected `1.0.0 - <= 2.22.1`

Weaknesses (CWE)

CWE-502

References

https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-58782

Description

Affected Products

Weaknesses (CWE)

References