Apache Jackrabbit Vulnerability Exposes Systems to Remote Code Execution Attacks

A new security flaw has been discovered in Apache Jackrabbit, a widely used content repository system, potentially exposing thousands of applications to remote code execution (RCE) risks.

The vulnerability, tracked as CVE-2025-58782, affects both Apache Jackrabbit Core and Apache Jackrabbit JCR Commons, with severity rated as important.

The issue arises from deserialization of untrusted data within JNDI-based repository lookups. Attackers can exploit this by injecting malicious JNDI references when applications accept untrusted inputs for repository connections.

Once triggered, the flaw may allow attackers to execute arbitrary code on the target system, compromising sensitive data and system stability.

Vulnerability Details

Security researchers revealed that deployments relying on JndiRepositoryFactory for JCR lookup are specifically at risk.

By crafting a malicious JNDI URI, an attacker can plant harmful payloads. These payloads are then deserialized by the vulnerable component, opening the door to remote exploitation.