CVE-2025-66516

Name of the Vulnerable Software and Affected Versions Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5

Description Apache Tika contains a critical XML External Entity (XXE) vulnerability (CVE-2025-66516) with a CVSS score of 10.0. This flaw allows attackers to carry out XXE injection via a crafted XFA file inside a PDF. Exploitation can lead to remote code execution, data exposure, server-side request forgery (SSRF), or denial of service. The vulnerability resides in the

tika-core

component, but also affects the

tika-parser-pdf-module

and

tika-parsers

modules. The vulnerability occurs when parsing XFA-formatted PDFs, where external entity resolution is not properly restricted. Approximately 12,600 services are estimated to be affected worldwide.

Recommendations Upgrade Apache Tika to version 3.2.2 or later, ensuring that both the

tika-core

and

tika-parser-pdf-module

are updated. If an immediate update is not possible, temporarily disable the processing of XFA-formatted PDFs or implement validation and filtering of incoming documents. Isolate Tika processes using sandboxing, restrict file system access, and prohibit outgoing network requests. Audit logs for suspicious activity related to PDF parsing and XML processing.