"The maintainers have now realized that the XXE injection flaw is not limited to this module. It affects additional Tika components, namely Apache Tika tika-core, versions 1.13 to 3.2.1, and tika-parsers versions 1.13 to 1.28.5. In addition, legacy Tika parsers versions 1.13 to 1.28.5 are also affected. Unusually - and confusingly - this means there are now two CVEs for the same issue, with the second, CVE-2025-66516, a superset of the first."
"Presumably, the reasoning behind issuing a second CVE is that it draws attention to the fact that people who patched CVE-2025-54988 are still at risk because of the additional vulnerable components listed in CVE-2025-66516. So far, there's no evidence that the XXE injection weakness in these CVEs is being exploited by attackers in the wild. However, the risk is that this will quickly change should the vulnerability be reverse engineered or proofs-of-concept appear."
Maintainers confirmed that an XXE injection flaw affects multiple Apache Tika components beyond the originally identified module. Affected components include tika-core versions 1.13 through 3.2.1, tika-parsers versions 1.13 through 1.28.5, and legacy Tika parsers versions 1.13 through 1.28.5. Two CVEs now cover the vulnerability: CVE-2025-54988 and a broader superset, CVE-2025-66516. The superset CVE highlights that systems patched for the first CVE may remain vulnerable due to additional affected components. No evidence currently indicates active exploitation in the wild, but the potential for reverse engineering or public proofs-of-concept could increase risk rapidly.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]