CVE-2025-66516

Name of the Vulnerable Software and Affected Versions Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5

Description Apache Tika is affected by a critical XML External Entity (XXE) injection flaw. This issue, exploitable via crafted XFA files within PDF documents, allows attackers to potentially read server files or execute remote code. The vulnerability resides in the

tika-core

component, impacting the

tika-parser-pdf-module

and, in 1.x releases, the

tika-parsers

module. Exploitation occurs when Tika processes PDFs containing XFA data without restricting external XML entities. Approximately 200 hosts in the Russian network segment are estimated to be vulnerable, with a potential impact on 95% of those systems. The vulnerability allows reading arbitrary files from the host or initiating Server-Side Request Forgery (SSRF) attacks. The affected components include the XML parser within

tika-core

.

Recommendations Update Apache Tika to version 3.2.2, ensuring that

tika-core

is also updated. If an immediate update is not possible, temporarily disable or restrict the processing of XFA-PDF files, and implement validation and filtering of incoming documents. Isolate Tika processes using sandboxing, restrict file system access, and prohibit outgoing requests. Verify dependencies in applications that utilize Tika, as it may be included transitively through search modules or ECM platforms. Audit Tika logs and logs from all services where automatic PDF analysis is performed.