Wiz
Vulnerability DatabaseCVE-2025-58782

CVE-2025-58782
Java vulnerability analysis and mitigation

Overview

A critical vulnerability (CVE-2025-58782) has been identified in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons, affecting versions 1.0.0 through 2.22.1. The vulnerability was disclosed on September 8, 2025, and is classified as a Deserialization of Untrusted Data vulnerability. Apache Jackrabbit, which serves as a fully conforming implementation of the Content Repository for Java Technology API (JCR), provides critical functionality for enterprise content management systems and digital platforms (NVD Database, Security Online).

Technical details

The vulnerability stems from the way JNDI URIs are handled during JCR repository lookups. The issue specifically affects the JndiRepositoryFactory component, where deployments accepting JNDI URIs for JCR lookup from untrusted users are vulnerable to malicious JNDI reference injection. The vulnerability has been assigned a CVSS 3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD Database).

Impact

The vulnerability can lead to significant security implications, particularly in enterprise environments. When successfully exploited, it enables remote code execution through the deserialization of untrusted data. The impact includes potential remote code execution allowing attackers to run arbitrary system commands, data exfiltration risks where malicious JNDI endpoints could leak sensitive repository content, and service disruption that could destabilize or crash Jackrabbit-based applications. Given Jackrabbit's widespread use in enterprise content management systems, web content systems, and digital experience platforms, the potential impact is particularly concerning (Security Online).

Mitigation and workarounds

Users are strongly recommended to upgrade to version 2.22.2, where JCR lookup through JNDI has been disabled by default. For users who require this feature, it must be explicitly enabled, and a thorough review of JNDI URI usage for JCR lookup is advised. The affected components that require updating are org.apache.jackrabbit:jackrabbit-core and org.apache.jackrabbit:jackrabbit-jcr-commons (NVD Database, Security Online).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-58365HIGH8.7
  • JavaJava
  • org.xwiki.contrib.blog:application-blog-ui
NoYesSep 08, 2025
CVE-2025-58782MEDIUM6.5
  • JavaJava
  • org.apache.jackrabbit:jackrabbit-core
NoYesSep 08, 2025
CVE-2025-58369MEDIUM5.3
  • JavaJava
  • co.fs2:fs2-io_2.12.0-RC1
NoYesSep 05, 2025
GHSA-c7v7-rqfm-f44jMEDIUM5.3
  • JavaJava
  • com.vaadin:vaadin
NoYesSep 04, 2025
GHSA-94g8-xv23-7656MEDIUM5.3
  • JavaJava
  • com.vaadin:vaadin-upload-flow
NoYesSep 04, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo