CVE-2025-53066 Cert Portal CVE debrief

Who should care

Owners of Oracle Java SE and GraalVM JDK deployments on servers, middleware, web services, and client systems; teams that expose Java APIs to untrusted input; and security teams supporting sandboxed Java Web Start or applet environments.

Technical summary

The source advisory describes a JAXP component issue affecting Oracle Java SE 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, and 25; Oracle GraalVM for JDK 17.0.16 and 21.0.8; and Oracle GraalVM Enterprise Edition 21.3.15. Exploitation does not require authentication or user interaction, and the attack surface includes APIs exposed by services that supply data to the component. The reported impact is confidentiality-only (C:H/I:N/A:N).

Defensive priority

High — prioritize inventorying and patching affected Java/GraalVM deployments, especially internet-facing services and any environment that processes untrusted input through JAXP.

Recommended defensive actions

• Inventory Oracle Java SE and GraalVM installations and compare them against the affected versions listed in the advisory.
• Prioritize patching or upgrading internet-facing systems and any Java services that accept untrusted data through JAXP.
• Review sandboxed Java Web Start and Java applet deployments that load untrusted code; reduce or remove those trust assumptions where possible.
• Restrict network exposure to affected Java services until remediation is complete, and monitor for unauthorized access to sensitive data.

Evidence notes

The advisory content is explicit about the affected Oracle Java/GraalVM versions, the JAXP component, the network/unauthenticated attack model, and the CVSS vector. The source item's vendor/product metadata is inconsistent with the advisory text (it references Siemens SIMATIC CN 4100 while the body describes Oracle Java SE/GraalVM), so the Oracle/JAXP description should be treated as authoritative for this CVE.

Official resources