Redazione RHC : 9 September 2025 10:27
A dangerous vulnerability has been discovered in Apache Jackrabbit that could lead to remote execution of arbitrary code and compromise enterprise systems. The issue is registered as CVE-2025-58782 and affects two key components simultaneously: Jackrabbit Core and JCR Commons. The flaw is present in all versions from 1.0.0 to 2.22.1 and is rated Important in severity.
The issue is related to insecure data deserialization when using JNDI requests to JCR repositories. If an application accepts external parameters to connect to a repository, an attacker can inject a malicious JNDI address. The vulnerable component then interprets the object encoded in the link, allowing the attacker to execute arbitrary commands on the server. This scenario opens the door to information theft, backdoor installation, or complete control of the infrastructure.
Distributions that use JndiRepositoryFactory to find JCR repositories are particularly vulnerable. In this case, a substituted URI allows the delivery of a malicious payload, which is then processed by the system without proper verification. Thanks to automatic deserialization, exploitation is not prevented by built-in security mechanisms, and the potential damage depends directly on the privilege level with which the Jackrabbit process is running.
One of the project’s lead developers, Marcel Reutegger, confirmed the bug and urged administrators to update immediately. The fix is included in version 2.22.2, where JNDI requests are disabled by default. Those who require the feature will need to enable it manually, carefully checking all settings. Those unable to quickly update to the new version are encouraged to at least disable JNDI lookups and monitor suspicious connections associated with external URIs.
The danger is that such a flaw could be automated through exploits, making unprotected servers an easy target. Apache Jackrabbit is widely used for content management, enterprise search, and document storage, so the scope of potential attacks is estimated to be significant. The project records the bug as JCR-5135, and information about it has been published in the official Apache database and the CVE catalog. The issue was reported by researcher James John, who is thanked in the bulletin.
Experts warn: Given the exploitation attempts already reported, delaying the update is extremely risky. A timely transition to version 2.22.2 or disabling insecure mechanisms could become the only barrier between corporate data and attackers.
Redazione