top of page
Search

Apache Tika Hit by Critical XXE Bug (CVE-2025-66516, CVSS 10.0)

  • Dec 5, 2025
  • 2 min read

Key Findings


  • A critical XML external entity (XXE) vulnerability, tracked as CVE-2025-66516, has been discovered in the Apache Tika toolkit.

  • The vulnerability has a CVSS score of 10.0, indicating maximum severity.

  • The flaw allows attackers to carry out XXE injection attacks by exploiting a crafted XFA file within a PDF document.

  • The vulnerability affects multiple Apache Tika components, including the tika-core, tika-parser-pdf-module, and tika-parsers modules.

  • This vulnerability is an expansion of a previously disclosed flaw, CVE-2025-54988, with a wider scope of affected packages.


Background


The Apache Tika toolkit is an industry-standard content detection and analysis framework, used for detecting and extracting metadata from a wide range of file types. The toolkit's versatility makes it a valuable tool for various applications, including search engine indexing, content analysis, and translation.


Vulnerability Details


The critical XXE vulnerability, CVE-2025-66516, is found in the way Apache Tika handles XFA (XML Forms Architecture) data within PDF files. By embedding a malicious XML payload in the XFA section of a PDF document, an attacker can trick the Tika core into processing external entities, leading to potential disclosure of sensitive data, denial of service, or server-side request forgery (SSRF) attacks.


Affected Components


The vulnerability impacts the following Apache Tika components:


  • Apache Tika Core: Versions 1.13 through 3.2.1 (Patched in version 3.2.2)

  • Apache Tika Parsers: Versions 1.13 before 2.0.0 (Patched in version 2.0.0)

  • Apache Tika PDF Parser Module: Versions 2.0.0 through 3.2.1 (Patched in version 3.2.2)


Confusion and Correction


This vulnerability is a correction and expansion of a previously disclosed flaw, CVE-2025-54988, which had a CVSS score of 8.4. The Apache Tika team realized that the original report underestimated the scope of the vulnerability, as the fix was required in the tika-core module, not just the tika-parser-pdf-module.


Mitigation and Recommendations


To mitigate the risk of this critical vulnerability, users are advised to upgrade their dependencies to the patched versions of the affected Apache Tika components as soon as possible:


  • tika-core: Version 3.2.2 or higher

  • tika-parsers: Version 2.0.0 or higher

  • tika-parser-pdf-module: Version 3.2.2 or higher


Applying these updates is crucial, as users who only updated the tika-parser-pdf-module but not the tika-core module would still be vulnerable.


Sources


  • https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

  • https://securityonline.info/the-pdf-trap-critical-vulnerability-cve-2025-66516-cvss-10-0-hits-apache-tika-core/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page