CVE-2025-66516
Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
INFO
Published Date :
Dec. 4, 2025, 5:15 p.m.
Last Modified :
Dec. 4, 2025, 5:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | CRITICAL | f0158376-9dc2-43b6-827c-5f631a4d8d09 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update tika-core to version 3.2.2 or later.
- Update tika-parsers to version 1.28.5 or later.
- Update tika-pdf-module to version 3.2.2 or later.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-66516.
| URL | Resource |
|---|---|
| https://cve.org/CVERecord?id=CVE-2025-54988 | |
| https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-66516 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-66516
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-66516 vulnerability anywhere in the article.
-
The Hacker News
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
Dec 05, 2025Ravie LakshmananApplication Security / Vulnerability A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vu ... Read more
-
CybersecurityNews
Critical Apache Tika Core Vulnerability Exploited by Uploading Malicious PDF
A critical security vulnerability in Apache Tika has been discovered that allows attackers to compromise systems by uploading specially crafted PDF files. Organizations worldwide are urged to patch im ... Read more
-
Daily CyberSecurity
The PDF Trap: Critical Vulnerability (CVE-2025-66516, CVSS 10.0) Hits Apache Tika Core
The Apache Tika toolkit, the industry standard for detecting and extracting metadata from over a thousand file types, has issued a maximum-severity alert. A critical XML External Entity (XXE) vulnerab ... Read more
-
Daily CyberSecurity
“React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
Only hours after the public disclosure of a critical vulnerability in the React ecosystem, state-sponsored cyber espionage groups have already launched active exploitation campaigns. Amazon threat int ... Read more
The following table lists the changes that have been made to the
CVE-2025-66516 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Dec. 04, 2025
Action Type Old Value New Value Added Description Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-611 Added Reference https://cve.org/CVERecord?id=CVE-2025-54988 Added Reference https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k