CVE-2025-54988

Name of the Vulnerable Software and Affected Versions Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5

Description A critical XML External Entity (XXE) issue exists in Apache Tika, specifically within the tika-parser-pdf-module, tika-core, and tika-parsers components. This flaw allows an attacker to inject malicious XML code via a crafted XFA file embedded within a PDF document. Successful exploitation could enable an attacker to read sensitive data or initiate unauthorized requests to internal resources or external servers. The root cause of the vulnerability lies within the PDFParser component, initially reported in the tika-parser-pdf-module but ultimately fixed in tika-core. The vulnerability affects versions 1.x where the PDFParser resides in the org.apache.tika:tika-parsers module.

Recommendations Upgrade to Apache Tika version 3.2.2 or later. Upgrade tika-core to version 3.2.2 or later. Upgrade tika-pdf-module to version 3.2.2 or later. Upgrade tika-parsers to version 1.28.5 or later.