Critical Apache Tika Vulnerability Leads to XXE Injection

Critical Apache Tika Vulnerability Leads to XXE Injection

Posted on By CWS

A critical-severity vulnerability within the Apache Tika open supply evaluation toolkit may enable attackers to carry out XML Exterior Entity (XXE) injection assaults.

Apache Tika capabilities as a common parser able to extracting info from nearly all forms of information, making it a core a part of indexing and evaluation instruments.

The vital problem, tracked as CVE-2025-66516 (CVSS rating of 10/10), impacts the tika-core, tika-pdf-module, and tika-parsers modules of Apache Tika.

Attackers can exploit the flaw by way of crafted XFA information positioned inside PDF information, on all platforms.

Profitable exploitation of XXE injection weaknesses may sometimes result in info leaks, SSRF assaults, denial-of-service (DoS), or distant code execution (RCE).

Thus, the vulnerability poses a serious threat, given the important position Apache Tika has inside search engines like google, content material administration methods, and information evaluation instruments.

CVE-2025-66516, VP of Apache Tika Tim Allison explains in an advisory, expands the scope of CVE-2025-54988 (CVSS rating of 8.4), which was publicly disclosed in August.

The unique vulnerability, Allison notes, impacts tika-core, however the entry level was the tika-parser-pdf-module package deal, thus requiring that each packages be up to date to totally resolve the bug.Commercial. Scroll to proceed studying.

Moreover, he explains, the unique report on the XXE flaw didn’t point out that the PDF parser within the 1.x Tika releases was within the tika-parsers module.

The newly disclosed Apache Tika vulnerability was patched in tika-core model 3.2.2, tika-parser-pdf-module model 3.2.2, and tika-parsers model 2.0.0.

The affected modules are used as dependencies in different packages. Customers are suggested to use the patches as quickly as doable.

Associated: Exploitation of React2Shell Surges

Associated: Important King Addons Vulnerability Exploited to Hack WordPress Websites

Associated: Microsoft Silently Mitigated Exploited LNK Vulnerability

Associated: Latest 7-Zip Vulnerability Exploited in Assaults

Security Week News Tags:, , , , , ,

Related Posts

Radical Empowerment From Your Leadership: Understood by Few, Essential for All Radical Empowerment From Your Leadership: Understood by Few, Essential for All Security Week News
Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect Security Week News
Critical HPE OneView Vulnerability Exploited in Attacks Critical HPE OneView Vulnerability Exploited in Attacks Security Week News
Swimlane Raises Million for Security Automation Platform Swimlane Raises $45 Million for Security Automation Platform Security Week News
Top US Accounting Firm Sax Discloses 2024 Data Breach Impacting 220,000 Top US Accounting Firm Sax Discloses 2024 Data Breach Impacting 220,000 Security Week News
Jaguar Land Rover Operations ‘Severely Disrupted’ by Cyberattack Jaguar Land Rover Operations ‘Severely Disrupted’ by Cyberattack Security Week News