What is the CVSS score of CVE-2025-53066?

CVE-2025-53066 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Oracle Java SE are affected by CVE-2025-53066?

CVE-2025-53066 is a critical authentication-bypass vulnerability in Oracle Java SE's JAXP component that allows remote attackers to exfiltrate sensitive data from affected Java applications without…. A patch is available.

How to fix or mitigate CVE-2025-53066?

Within 24 hours: Inventory all Java SE, GraalVM, and GraalVM Enterprise Edition deployments; identify affected versions (Java SE 8u461-25, GraalVM 17.0.16/21.0.8, GraalVM EE 21.3.15). Within 7 days: Apply Oracle's October 2025 Critical Patch Update to all affected Java installations and validate patch installation across production, staging, and development environments. Within 30 days: Conduct application-level audit of JAXP API usage in web services and Java Web Start/applet deployments; implement network segmentation to restrict untrusted data sources.

Oracle Java SE CVE-2025-53066

HIGH

Information Exposure (CWE-200)

2025-10-21 secalert_us@oracle.com

Authentication Bypass Java Information Disclosure Oracle Red Hat Graalvm Graalvm For Jdk Jdk Jre Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 13:31 vuln.today

CVE Published

Oct 21, 2025 - 20:20 nvd

HIGH 7.5

DescriptionNVD

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

AnalysisAI

Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.

Technical ContextAI

The vulnerability affects the JAXP (Java API for XML Processing) component, a core Java API used for parsing and transforming XML documents. JAXP provides abstraction layers over SAX, DOM, and XSLT processors. The CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) classification indicates the flaw allows information disclosure beyond intended boundaries. Affected CPE strings confirm impact across Oracle's entire Java ecosystem: standard JDK/JRE distributions (versions 8u461, 11.0.28, 17.0.16, 21.0.8, 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). The vulnerability manifests when JAXP APIs process attacker-controlled XML input, whether through web services, server-side applications consuming external data, or client-side sandboxed environments (Java Web Start, applets) designed to isolate untrusted code execution. The scope=unchanged parameter indicates compromise remains within the vulnerable component's security boundary.

RemediationAI

Upgrade to Oracle Java SE versions released in October 2025 CPU - specific patched versions not enumerated in available data but referenced in Oracle advisory at https://www.oracle.com/security-alerts/cpuoct2025.html. For GraalVM for JDK, apply updates beyond 17.0.16 and 21.0.8 per vendor guidance. For GraalVM Enterprise Edition, upgrade from 21.3.15 to patched release per Oracle support channels. Debian LTS users should follow distribution-specific upgrade procedures at https://lists.debian.org/debian-lts-announce/2025/10/msg00026.html. Siemens product customers should consult https://cert-portal.siemens.com/productcert/html/ssa-032379.html for embedded Java component updates. Compensating controls for environments unable to immediately patch: restrict network access to JAXP-utilizing services using firewall rules limiting exposure to trusted networks only (note this reduces but does not eliminate risk from insider threats or compromised trusted systems), implement strict XML input validation and sanitization before JAXP processing (validate schema, disable external entity processing, limit document size - effectiveness depends on accurate implementation and may not address root vulnerability), disable Java Web Start and applet support if still enabled (modern browsers already block these by default), and implement network egress monitoring for unusual data exfiltration patterns from Java processes (detective control only, does not prevent initial compromise).