CVE-2025-53066: 
OpenJDK JDK vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-53066) has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products, specifically affecting the JAXP component. The vulnerability impacts multiple versions including Oracle Java SE (8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25), Oracle GraalVM for JDK (17.0.16 and 21.0.8), and Oracle GraalVM Enterprise Edition (21.3.15). This vulnerability was disclosed in October 2025 (Oracle Security, NVD).

The vulnerability is classified with a CVSS 3.1 Base Score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It is characterized as easily exploitable by unauthenticated attackers with network access via multiple protocols. The vulnerability can be exploited through APIs in the JAXP component, particularly through web services that supply data to these APIs. It also affects Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and execute untrusted code from the internet (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The impact is primarily focused on confidentiality, with no direct effects on integrity or availability (NVD).

Oracle has released security patches as part of their October 2025 Critical Patch Update. Users are strongly advised to apply these patches without delay to affected versions of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition (Oracle Security).