"A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity ( XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability."
"It affects the following Maven packages - org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0) XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution."
A critical XML External Entity (XXE) vulnerability (CVE-2025-66516) in Apache Tika enables attackers to inject XML entities via crafted XFA files inside PDFs. The flaw carries a CVSS score of 10.0 and affects tika-core, tika-pdf-module and tika-parsers across specified version ranges. Affected Maven packages include org.apache.tika:tika-core (<=3.2.1), tika-parser-pdf-module (<=3.2.1), and tika-parsers (1.x <2.0.0); patches are available in tika-core/tika-parser-pdf-module 3.2.2 and tika-parsers 2.0.0. XXE can expose server files and potentially lead to remote code execution. The issue expands prior CVE-2025-54988 scope because the fix was in tika-core and PDFParser location differed in 1.x releases. Apply the specified updates immediately.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]