Paras Jain

**Name of the Vulnerable Software and Affected Versions** Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5 **Description** A critical XML External Entity (XXE) issue exists in Apache Tika, specifically within the `tika-parser-pdf-module`, `tika-core`, and `tika-parsers` components. This flaw allows an attacker to inject malicious XML code via a crafted XFA file embedded within a PDF document. Successful exploitation could enable an attacker to read sensitive data or initiate unauthorized requests to internal resources or external servers. The root cause of the vulnerability lies within the `PDFParser` component, initially reported in the `tika-parser-pdf-module` but ultimately fixed in `tika-core`. The vulnerability affects versions 1.x where the `PDFParser` resides in the `org.apache.tika:tika-parsers` module. **Recommendations** Upgrade to Apache Tika version 3.2.2 or later. Upgrade `tika-core` to version 3.2.2 or later. Upgrade `tika-pdf-module` to version 3.2.2 or later. Upgrade `tika-parsers` to version 1.28.5 or later.