Description

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

INFO

Published Date :

2025-09-08T08:53:15.818Z

Last Modified :

2025-11-04T21:13:47.254Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58782 vulnerability.

Vendors Products
Apache
  • Jackrabbit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58782.

URL Resource
http://www.openwall.com/lists/oss-security/2025/09/06/3 cve-icon
https://github.com/apache/jackrabbit-site/pull/6 cve-icon
https://github.com/apache/jackrabbit-site/pull/9 cve-icon
https://github.com/apache/jackrabbit/pull/229 cve-icon
https://issues.apache.org/jira/browse/JCR-5135 cve-icon
https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-58782 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-58782 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact