PT-2025-49099 · Apache +2 · Tika-Parsers +6

Tim Allison

·

Published

2025-10-26

·

Updated

2026-01-22

·

CVE-2025-66516

CVSS v4.0
10
VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5
Description Apache Tika contains a critical XML External Entity (XXE) vulnerability (CVE-2025-66516) with a CVSS score of 10.0. This flaw allows attackers to carry out XXE injection via a crafted XFA file inside a PDF. Exploitation can lead to remote code execution, data exposure, server-side request forgery (SSRF), or denial of service. The vulnerability resides in the 
tika-core
component, but also affects the 
tika-parser-pdf-module
and 
tika-parsers
modules. The vulnerability occurs when parsing XFA-formatted PDFs, where external entity resolution is not properly restricted. Approximately 12,600 services are estimated to be affected worldwide.
Recommendations Upgrade Apache Tika to version 3.2.2 or later, ensuring that both the 
tika-core
and 
tika-parser-pdf-module
are updated. If an immediate update is not possible, temporarily disable the processing of XFA-formatted PDFs or implement validation and filtering of incoming documents. Isolate Tika processes using sandboxing, restrict file system access, and prohibit outgoing network requests. Audit logs for suspicious activity related to PDF parsing and XML processing.

Exploit

Fix

DoS

RCE

XXE

Weakness Enumeration

CWE-611

Related Identifiers

BDU:2025-15736
CVE-2025-66516
DLA-4350-1
GHSA-F58C-GQ56-VJJF

Affected Products

Apache Tika
Bamboo
Confluence
Debian
Tika-Core
Tika-Parsers
Tika-Pdf-Module