A critical security vulnerability has been identified in Apache Jackrabbit, an open-source content repository widely used in enterprise content management systems and web applications. The flaw, tracked as JCR-5135, stems from the deserialization of untrusted data within Jackrabbit’s handling of Java Naming and Directory Interface (JNDI) lookups. If left unpatched, this issue could enable unauthenticated remote attackers to execute arbitrary code on vulnerable servers, posing severe risks to both system security and data confidentiality. The vulnerability was responsibly reported by security researcher.

The root cause lies in how certain Apache Jackrabbit components process JNDI URIs for Java Content Repository (JCR) lookups. When deployments are configured to accept input from untrusted or public-facing sources, an attacker can submit a maliciously crafted JNDI reference. This forces the application to deserialize untrusted data from an attacker-controlled source, effectively enabling the execution of arbitrary system commands with the application’s privileges. Successful exploitation would allow an attacker to install malware, exfiltrate sensitive information, or even take full control of the compromised system.

The scope of impact is significant, covering two decades of releases across Jackrabbit’s foundational components. All versions from 1.0.0 through 2.22.1 of both Jackrabbit Core (org.apache.jackrabbit:jackrabbit-core) and Jackrabbit JCR Commons (org.apache.jackrabbit:jackrabbit-jcr-commons) are affected. This wide attack surface makes the flaw especially dangerous for enterprises relying on outdated deployments that may be exposed to external traffic. Organizations using these versions should treat this as a priority security concern and take immediate remediation steps.

To mitigate the risk, the Apache Jackrabbit team released version 2.22.2, which by default disables JCR lookups via JNDI, effectively closing the exploit path. For organizations that still require JNDI functionality, it must now be explicitly re-enabled via a system property, but administrators are strongly advised to perform thorough security reviews before doing so. The most reliable defense remains upgrading to the patched release as soon as possible. Delaying this update leaves systems exposed to remote code execution, data theft, and complete server compromise, making prompt action essential.