CVE-2025-58782
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-11-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | jackrabbit | From 1.0.0 (inc) to 2.22.2 (inc) |
| apache | jackrabbit_jcr_commons | From 1.0.0 (inc) to 2.22.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Deserialization of Untrusted Data issue in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. It occurs when deployments accept JNDI URIs for JCR lookup from untrusted users, allowing attackers to inject malicious JNDI references. This can lead to arbitrary code execution through deserialization of untrusted data.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on the affected system by injecting malicious JNDI references. This can compromise the security and integrity of the system running Apache Jackrabbit Core or JCR Commons.
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade Apache Jackrabbit Core and Apache Jackrabbit JCR Commons to version 2.22.2 or later. In version 2.22.2, JCR lookup through JNDI has been disabled by default. If you rely on this feature, you need to explicitly enable it and carefully review your use of JNDI URIs for JCR lookup to avoid accepting untrusted input.