CVE-2025-53689: Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build

The vulnerability is a classic Blind XXE (XML External Entity) injection located in the XML parsing logic of Apache Jackrabbit. The root cause is the use of an insecurely configured javax.xml.parsers.DocumentBuilderFactory when parsing XML documents, which did not disable external entity processing. This allowed an attacker to craft a malicious XML payload containing external entity references, which the server would then process. This could lead to unauthorized data access from the local filesystem or server-side request forgery (SSRF) by forcing the server to make requests to arbitrary network resources.

The security patch addresses this issue in two main classes:

1. org.apache.jackrabbit.core.util.DOMWalker: The constructor of this class directly parses an InputStream. The patch introduces a createFactory method that configures the DocumentBuilderFactory to be secure by disabling DTDs and external entities. It also adds a defense-in-depth EntityResolver to the DocumentBuilder to explicitly block any entity resolution attempts.

2. org.apache.jackrabbit.spi.commons.privilege.PrivilegeXmlHandler: This class is responsible for parsing privilege definitions from XML. The public parsePrivileges methods were vulnerable. The patch applies the same security measures as in DOMWalker, creating a secure DocumentBuilderFactory and adding a restrictive EntityResolver in the createDocumentBuilder helper method.

For a security engineer, this means any application component that allows users to supply XML that is eventually processed by either the DOMWalker constructor or the PrivilegeXmlHandler.parsePrivileges methods is an attack vector. Exploitation would involve submitting a crafted XML file, for example, during privilege registration or any other operation that involves these parsing utilities.