CVE-2025-58782
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-11-19

Assigner: Apache Software Foundation

Description
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-11-19
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58782
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache jackrabbit From 1.0.0 (inc) to 2.22.2 (inc)
apache jackrabbit_jcr_commons From 1.0.0 (inc) to 2.22.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Deserialization of Untrusted Data issue in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. It occurs when deployments accept JNDI URIs for JCR lookup from untrusted users, allowing attackers to inject malicious JNDI references. This can lead to arbitrary code execution through deserialization of untrusted data.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code on the affected system by injecting malicious JNDI references. This can compromise the security and integrity of the system running Apache Jackrabbit Core or JCR Commons.

Mitigation Strategies

Users should upgrade Apache Jackrabbit Core and Apache Jackrabbit JCR Commons to version 2.22.2 or later. In version 2.22.2, JCR lookup through JNDI has been disabled by default. If you rely on this feature, you need to explicitly enable it and carefully review your use of JNDI URIs for JCR lookup to avoid accepting untrusted input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart