Ddos 
The Apache Software Foundation has disclosed a new vulnerability in Apache Jackrabbit Core and JCR Commons, tracked as CVE-2025-58782. The flaw, classified as Important, impacts versions 1.0.0 through 2.22.1 and introduces a JNDI injection risk when using the JndiRepositoryFactory.
According to the mailing list, “Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.”
Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). It provides a hierarchical content store with support for structured and unstructured data, versioning, transactions, full-text search, and observation. Many enterprise systems and content platforms rely on Jackrabbit as their backend repository engine.
The flaw arises from the way JNDI URIs are handled during JCR repository lookups. By supplying a malicious JNDI reference, attackers could trigger the deserialization of untrusted data, a common pathway to remote code execution (RCE).
The affected components:
- org.apache.jackrabbit:jackrabbit-core (1.0.0 – 2.22.1)
- org.apache.jackrabbit:jackrabbit-jcr-commons (1.0.0 – 2.22.1)
Remote attackers could exploit this vulnerability to execute arbitrary code on servers using Jackrabbit with JNDI lookups exposed to untrusted users.
JNDI injection flaws are notorious because they bridge lookup mechanisms with object deserialization, opening doors to:
- Remote Code Execution (RCE): Attackers may run arbitrary system commands.
- Data Exfiltration: Malicious JNDI endpoints could leak sensitive repository content.
- Service Disruption: Exploitation could destabilize or crash Jackrabbit-based applications.
Given Jackrabbit’s integration into enterprise content management (ECM), web content systems, and digital experience platforms, exploitation could ripple across critical business environments.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are advised to review their use of JNDI URI for JCR lookup.
Donate