Tim Allison

**Name of the Vulnerable Software and Affected Versions** Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5 **Description** Apache Tika contains a critical XML External Entity (XXE) vulnerability (CVE-2025-66516) with a CVSS score of 10.0. This flaw allows attackers to carry out XXE injection via a crafted XFA file inside a PDF. Exploitation can lead to remote code execution, data exposure, server-side request forgery (SSRF), or denial of service. The vulnerability resides in the `tika-core` component, but also affects the `tika-parser-pdf-module` and `tika-parsers` modules. The vulnerability occurs when parsing XFA-formatted PDFs, where external entity resolution is not properly restricted. Approximately 12,600 services are estimated to be affected worldwide. **Recommendations** Upgrade Apache Tika to version 3.2.2 or later, ensuring that both the `tika-core` and `tika-parser-pdf-module` are updated. If an immediate update is not possible, temporarily disable the processing of XFA-formatted PDFs or implement validation and filtering of incoming documents. Isolate Tika processes using sandboxing, restrict file system access, and prohibit outgoing network requests. Audit logs for suspicious activity related to PDF parsing and XML processing.

**Name of the Vulnerable Software and Affected Versions** Apache Tika versions 0.9 through 1.18 **Description** The issue arises in a rare edge case where a user does not specify an extract directory on the command line and the input file has an embedded file with an absolute path. For example, if the input file contains "C:/evil.bat", tika-app would overwrite that file. **Recommendations** For Apache Tika versions 0.9 through 1.18, consider specifying an extract directory on the command line using the --extract-dir option to avoid potential file overwrites. As a temporary workaround, restrict the use of absolute paths in embedded files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Tika server (aka tika-server) version 1.9 **Description** The issue allows remote attackers to read arbitrary files via the HTTP `fileUrl` header. This is possible when Apache Tika is used as a web service, enabling a 3rd party to pass a `fileUrl` header to the Apache Tika Server. The header lets a remote client request that the server fetches content from the URL provided, including files from the server's local filesystem. Depending on the file permissions set on the local filesystem, this could be used to return sensitive content from the server machine. **Recommendations** For Apache Tika server version 1.9, consider updating to version 1.10 or later to resolve the issue. As a temporary workaround, restrict access to the tika-server URL to prevent un-trusted access. Additionally, consider disabling the `fileUrl` header functionality until a patch is applied.