CVE-2025-66516

Name of the Vulnerable Software and Affected Versions tika-core versions 1.13 through 3.2.1 tika-parser-pdf-module versions 2.0.0 through 3.2.1 tika-parsers versions 1.13 through 1.28.5

Description Apache Tika incorrectly handles XML external entities when parsing XFA (XML Forms Architecture) content embedded in PDF files. This allows a remote attacker to perform XML External Entity (XXE) injection by using a crafted XFA file inside a PDF. The issue stems from the XML parser in tika-core failing to restrict external XML references. Successful exploitation can lead to local file disclosure, Server-Side Request Forgery (SSRF), Denial of Service (DoS), or remote code execution in certain exploit chains. The vulnerability affects embedded Tika deployments using the default JDK StAX parser. Approximately 200 hosts in the RuNet segment are identified as using Apache Tika, with an estimated 95% being vulnerable.

Recommendations Update tika-core, tika-parser-pdf-module, and tika-parsers to version 3.2.2. As a temporary workaround, disable or restrict the processing of XFA-PDF files. Isolate Tika processes using a sandbox, restrict file system access permissions, and prohibit outgoing network requests.