A vital security flaw has been disclosed in Apache Tika that might lead to an XML exterior entity (XXE) injection assault.
The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating most severity.
“Important XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms permits an attacker to hold out XML Exterior Entity injection through a crafted XFA file within a PDF,” in keeping with an advisory for the vulnerability.
It impacts the next Maven packages –
- org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in model 3.2.2)
- org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in model 3.2.2)
- org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in model 2.0.0)
XXE injection refers to an internet security vulnerability that permits an attacker to intrude with an software’s processing of XML knowledge. This, in flip, makes it attainable to entry recordsdata on the applying server file system and, in some instances, even, obtain distant code execution.
CVE-2025-66516 is assessed to be the identical as CVE-2025-54988 (CVSS rating: 8.4), one other XXE flaw within the content material detection and evaluation framework that was patched by the mission maintainers in August 2025. The brand new CVE, the Apache Tika group mentioned, expands the scope of affected packages in two methods.
“First, whereas the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its repair had been in tika-core,” the group mentioned. “Customers who upgraded the tika-parser-pdf-module however didn’t improve tika-core to >= 3.2.2 would nonetheless be weak.”
“Second, the unique report failed to say that within the 1.x Tika releases, the PDFParser was within the “org.apache.tika:tika-parsers” module.”
In mild of the criticality of the vulnerability, customers are suggested to use the updates as quickly as attainable to mitigate potential threats.
