News

Critical XXE Vulnerability Patched in Apache Tika

Apache developers have patched a critical vulnerability in Apache Tika—a widely-used toolkit for detecting and extracting metadata from various file formats. The flaw, identified as CVE-2025-66516, scores a perfect 10.0 on the CVSS scale and enables XXE (XML External Entity) injection attacks through specially crafted XFA files embedded in PDFs.

The vulnerability affects multiple versions across three key modules: tika-core (versions 1.13 to 3.2.1), tika-pdf-module (versions 2.0.0 to 3.2.1), and tika-parsers (versions 1.13 to 1.28.5) on all platforms.

What XXE Attacks Enable

XXE attacks manipulate how applications process XML data, potentially allowing attackers to read files on the application server. In some scenarios, these attacks can escalate to remote code execution—making this vulnerability particularly serious.

Connection to Previous Vulnerability

CVE-2025-66516 relates directly to another Tika flaw—CVE-2025-54988 (CVSS 8.4)—that developers patched in August 2025. The new vulnerability expands the attack surface in two significant ways.

Per the Apache development team, the entry point for CVE-2025-54988 was tika-parser-pdf-module, but the actual vulnerability and its fix resided in tika-core. This means users who updated only tika-parser-pdf-module without updating tika-core to version 3.2.2 or higher remain exposed to attacks.

Additionally, developers identified an error in the initial security advisory: it failed to mention that in Tika 1.x releases, the PDFParser component existed in the org.apache.tika:tika-parsers module. This oversight means more systems are potentially vulnerable than initially disclosed.