What is the CVSS score of EUVD-2025-21327?

EUVD-2025-21327 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by EUVD-2025-21327?

Apache Jackrabbit versions prior to 2.23.2 contain a blind XXE vulnerability that could allow attackers to extract sensitive data or disrupt services through malicious XML input.. A patch is available.

How to fix or mitigate EUVD-2025-21327?

Within 24 hours: Inventory all systems running Apache Jackrabbit and identify affected versions (< 2.20.17, < 2.22.1, or < 2.23.2 depending on Java version). Within 7 days: Develop and test upgrade plan to compatible patched versions (2.20.17, 2.22.1, or 2.23.2) in non-production environments. Within 30 days: Deploy patches to all production systems, prioritizing those exposed to untrusted input.

Java EUVD-2025-21327

| CVE-2025-53689 HIGH

Improper Restriction of XML External Entity Reference (CWE-611)

2025-07-14 security@apache.org

GHSA-44c3-38h8-9fh9

XXE Apache Java Information Disclosure Jackrabbit Red Hat

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ubuntu

MEDIUM

qualitative

Red Hat

7.1 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21327

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

CVE Published

Jul 14, 2025 - 10:15 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

4 maven packages depend on org.apache.jackrabbit:jackrabbit-core (4 direct, 0 indirect)
34 maven packages depend on org.apache.jackrabbit:jackrabbit-spi-commons (13 direct, 21 indirect)

Ecosystem-wide dependent count for version 2.23.0-beta and other introduced versions.

DescriptionCVE.org

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

AnalysisAI

Apache Jackrabbit versions prior to 2.23.2 contain blind XXE (XML External Entity) vulnerabilities in jackrabbit-spi-commons and jackrabbit-core components due to unsafe XML document parsing when loading privilege definitions. An authenticated attacker with low privileges can exploit this to achieve high-impact confidentiality, integrity, and availability compromise. The vulnerability requires user authentication (PR:L) but has no interaction requirement and affects all systems regardless of scope.

Technical ContextAI

The vulnerability exists in Apache Jackrabbit's privilege loading mechanism, which utilizes unsecured XML document builders (likely using DOM or SAX parsers without XXE protections disabled). Jackrabbit is a Java Content Repository implementation following the JCR specification, widely used for content management and document storage. The root cause is CWE-611 (Improper Restriction of XML External Entity Reference), where the XML parser processes external entity declarations without proper validation or DTD processing restrictions. Affected components are jackrabbit-spi-commons (SPI layer) and jackrabbit-core (core repository), indicating the vulnerability affects the foundational XML deserialization during privilege configuration/loading. This is a blind XXE variant, meaning the attacker cannot directly exfiltrate data but can read files, perform SSRF attacks, or cause denial of service through billion laughs/XML bomb attacks.

RemediationAI

{'type': 'Immediate Patch', 'action': 'Upgrade to one of the following supported versions based on your Java runtime: Apache Jackrabbit 2.20.17 (for Java 8 environments, though Java 8 is EOL), 2.22.1 (for Java 11), or 2.23.2 (for Java 11, recommended for new deployments).'} {'type': 'Configuration Mitigation (if patch cannot be immediately applied)', 'action': "Restrict XML privilege source to trusted, internal systems only. Implement network-level access controls to limit which systems can load privilege definitions. Disable external DTD processing at the JVM level using system properties: -Dcom.sun.org.apache.xerces.internal.XMLConstants.ACCESS_EXTERNAL_DTD='' and -Dcom.sun.org.apache.xerces.internal.XMLConstants.ACCESS_EXTERNAL_SCHEMA=''."} {'type': 'Access Control', 'action': 'Audit and minimize the number of accounts with privilege administration or content repository configuration rights, as exploitation requires authentication.'} {'type': 'Verification', 'action': 'After patching, verify the XML parser configuration in privilege loading code uses XXE-safe defaults (e.g., XMLInputFactory with FEATURE_SECURE_PROCESSING enabled, DTDProcessing.PROHIBIT, or equivalent hardening).'} {'type': 'Vendor Advisory', 'action': 'Refer to Apache Jackrabbit security advisory at https://jackrabbit.apache.org/security-advisories.html for detailed patch notes and breaking changes.'}

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-55773 HIGH This Week

8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers

CVE-2026-55772 HIGH This Week

8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH This Week

8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH This Week

7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Vendor StatusVendor

Ubuntu

Priority: Medium

jackrabbit

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

Debian

Bug #1109335

jackrabbit

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	2.18.0+r2.14.6-1	-
bookworm	vulnerable	2.20.3-1	-
forky, sid, trixie	fixed	2.20.11-1.1	-
(unstable)	fixed	2.20.11-1.1	unimportant

EUVD-2025-21327 vulnerability details – vuln.today

Back

Java EUVD-2025-21327

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code