A critical security flaw has been disclosed in Apache Tika that could lead to an XML External Entity (XXE) injection attack.
This vulnerability is tracked as CVE-2025-66516 and is rated 10.0 on the CVSS scoring scale, indicating maximum severity.
According to the vulnerability advisory, “A critical XXE in the Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to create XML external entities via a crafted XFA file in a PDF. injection can be performed.
Affects the following Maven packages:
org.apache.tika:tika-core >= 1.13,<= 3.2.1 (バージョン 3.2.2 でパッチ適用) org.apache.tika:tika-parser-pdf-module >= 2.0.0,<= 3.2.1 (バージョン 3.2.2 でパッチ適用) org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (patched in version 2.0.0)
XXE injection refers to a web security vulnerability that allows an attacker to prevent an application from processing XML data. This allows access to files on the application server file system and, in some cases, enables remote code execution.
CVE-2025-66516 is rated the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the Content Discovery and Analysis Framework that was patched by project administrators in August 2025. According to the Apache Tika team, the new CVE expands the scope of affected packages in two ways.
“First, the entry point for this vulnerability was the tika-parser-pdf-module reported in CVE-2025-54988, but the vulnerability and its fix were in tika-core,” the team said. “Users who upgraded tika-parser-pdf-module but did not upgrade tika-core to 3.2.2 or higher are still vulnerable.”
“Second, the original report did not mention that PDFParser was included in the “org.apache.tika:tika-parsers” module in the 1.x Tika release. ”
Given the importance of the vulnerability, we recommend applying updates as soon as possible to mitigate potential threats.
Source link
