Critical deserialization vulnerability reported in Apache Jackrabbit, enables remote code execution

Apache Jackrabbit has addressed a critical vulnerability in enterprise content management systems and web applications. 

Apache Jackrabbit is an open-source content repository that serves as a solution for storing, managing, and retrieving hierarchical content in enterprise applications. It's used in CMS platforms, Document Management Systems, Digital Asset Management systems and Enterprise applications.

The flaw is tracked as CVE-2025-58782 (CVSS score 9.8) and is a deserialization of untrusted data that enables authenticated attackers to achieve arbitrary code execution on vulnerable servers. The vulnerability affects deployments that accept Java Naming and Directory Interface (JNDI) URIs for Java Content Repository (JCR) lookup from untrusted sources/

By crafting specially designed JNDI URIs, attackers can exploit the deserialization process to execute arbitrary commands on the underlying server potentially leading to complete system compromise. T

The vulnerability affects Apache Jackrabbit Core (org.apache.jackrabbit:jackrabbit-core) versions 1.0.0 through 2.22.1 and Apache Jackrabbit JCR Commons (org.apache.jackrabbit:jackrabbit-jcr-commons) versions 1.0.0 through 2.22.1

Apache has already patched this vulnerability in version 2.22. Organizations can verify their current Apache Jackrabbit version by checking their deployment configuration and dependency management files. 

For organizations that require JNDI functionality for their operations, the feature must now be enabled explicitly through system properties, and administrators are strongly advised to conduct security reviews of their JNDI URI usage patterns.

As a mitigating measure, organizations that can't immediately upgrade should isolate Apache Jackrabbit instances, restrict direct internet access to these systems, and ensure the service runs with minimal required privileges.