Key Findings

• A critical XXE vulnerability (CVE-2025-66516) with a CVSS score of 10.0 was discovered in Apache Tika

• The vulnerability allows XML external entity attacks and affects Tika's core, PDF, and parser modules

• Attackers can embed a malicious XFA file inside a PDF to trigger the XXE injection in Tika

Background

• Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from various file types

• Tika is widely used in systems like search indexes, document ingestion pipelines, compliance tools, and content analysis platforms

Vulnerability Details

• The vulnerability was initially reported as CVE-2025-54988, but this new CVE (2025-66516) expands the scope of affected packages

• The root vulnerability and its fix are in the tika-core module, meaning users who only updated the tika-parser-pdf-module remain vulnerable

• The vulnerability also affects the tika-parsers module in older Tika 1.x releases, where the PDFParser was included

Impact

• The vulnerability allows attackers to carry out XML External Entity (XXE) injection attacks by exploiting a flaw in Tika's core, PDF, and parser modules

• Successful exploitation can lead to the exposure of sensitive internal resources

Mitigation

• Users are urged to install the updates as soon as possible to address this critical vulnerability

Sources

• https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.html

• https://x.com/Dinosn/status/1997156319296368861

• https://x.com/securityaffairs/status/1997094562192338998