### Key Information #### Vulnerability ID CVE-2025-58782 #### Affected Components - Apache Jackrabbit Core - Apache Jackrabbit JCR Commons #### Affected Versions - Apache Jackrabbit Core (org.apache.jackrabbit:jackrabbit-core) 1.0.0 to 2.22.1 - Apache Jackrabbit JCR Commons (org.apache.jackrabbit:jackrabbit-jcr-commons) 1.0.0 to 2.22.1 #### Severity Important #### Description Apache Jackrabbit Core and Apache Jackrabbit JCR Commons are affected by an untrusted data deserialization vulnerability. This issue affects: - Apache Jackrabbit Core: versions 1.0.0 to 2.22.1 - Apache Jackrabbit JCR Commons: versions 1.0.0 to 2.22.1 Deployments that accept JNDI URIs from untrusted users for JCR lookups allow them to inject malicious JNDI references, potentially leading to arbitrary code execution via deserialization of untrusted data. #### Recommended Actions Users are advised to upgrade to version 2.22.2. JCR lookups via JNDI are disabled by default in 2.22.2. Users who require this functionality should explicitly enable it and review their usage of JNDI URIs for JCR lookups. #### Tracking ID JCR-5135 #### Reporter James John #### References - https://jackrabbit.apache.org/ - https://www.cve.org/CVERecord?id=CVE-2025-58782 - https://issues.apache.org/jira/browse/JCR-5135