CVE-2025-58782: Apache Jackrabbit Vulnerability Exposes Systems to JNDI Injection and RCE
Ddos 
The Apache Software Foundation has disclosed a new vulnerability in Apache Jackrabbit Core and JCR Commons, tracked as CVE-2025-58782. The flaw, classified as Important, impacts versions 1.0.0 through 2.22.1 and introduces a JNDI injection risk when using the JndiRepositoryFactory.
According to the mailing list, βDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.β
Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). It provides a hierarchical content store with support for structured and unstructured data, versioning, transactions, full-text search, and observation. Many enterprise systems and content platforms rely on Jackrabbit as their backend repository engine.
The flaw arises from the way JNDI URIs are handled during JCR repository lookups. By supplying a malicious JNDI reference, attackers could trigger the deserialization of untrusted data, a common pathway to remote code execution (RCE).
The affected components:
- org.apache.jackrabbit:jackrabbit-core (1.0.0 β 2.22.1)
- org.apache.jackrabbit:jackrabbit-jcr-commons (1.0.0 β 2.22.1)
Remote attackers could exploit this vulnerability to execute arbitrary code on servers using Jackrabbit with JNDI lookups exposed to untrusted users.
JNDI injection flaws are notorious because they bridge lookup mechanisms with object deserialization, opening doors to:
- Remote Code Execution (RCE): Attackers may run arbitrary system commands.
- Data Exfiltration: Malicious JNDI endpoints could leak sensitive repository content.
- Service Disruption: Exploitation could destabilize or crash Jackrabbit-based applications.
Given Jackrabbitβs integration into enterprise content management (ECM), web content systems, and digital experience platforms, exploitation could ripple across critical business environments.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are advised to review their use of JNDI URI for JCR lookup.
Related Posts:
- Critical Apache Jackrabbit Flaw (CVE-2025-53689): XXE Attacks Allow Data Exfiltration & DoS
- A Critical Remote Code Execution in Apache Jackrabbit
- Apache Log4j2 Remote Code Execution Vulnerability Alert
- Security Vulnerabilities in Apache Linkis Expose Systems to Arbitrary File Reading and RCE
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
