A vital safety vulnerability in Apache Tika has been found that enables attackers to compromise methods by importing specifically crafted PDF information. Organizations worldwide are urged to patch instantly.
Apache Tika is a well-liked open-source toolkit utilized by 1000’s of organizations to extract textual content and metadata from paperwork, together with PDFs, Phrase information, and pictures.
Apache researchers have recognized a vital flaw that attackers can exploit by embedding malicious code inside PDF information.
Apache Tika Core Vulnerability
The vulnerability is attributable to an XML Exterior Entity (XXE) injection flaw. Attackers create PDF paperwork containing crafted XFA (XML Varieties Structure) information that set off the vulnerability when Tika processes them.
This enables attackers to execute arbitrary code, steal delicate info, or achieve unauthorized entry to methods.
The vulnerability impacts three Apache Tika elements throughout all working methods:
FieldValueCVE IDCVE-2025-66516CVSS Score9.8 (Vital)Vulnerability TypeXML Exterior Entity (XXE) InjectionAttack VectorMalicious XFA information embedded in PDF documentsAffected PlatformsAll (Home windows, Linux, macOS)
Tika-core: Variations 1.13 by way of 3.2.1 are weak. That is the core library containing the precise flaw.
Tika-parsers: Variations 1.13 earlier than 2.0.0 are affected. This older module contained the PDF parser performance.
Tika PDF parser module: Variations 2.0.0 by way of 3.2.1 are weak. That is the newer devoted PDF part. This vulnerability expands past the unique CVE-2025-54988 in vital methods.
First, whereas the vulnerability seemed to be associated to the PDF parser module, the precise flaw lies in Tika-core. Organizations that solely up to date the PDF parser with out upgrading Tika-core stay weak to assault.
Second, the unique report ignored that older Tika 1.x releases packaged the PDF parser within the “tika-parsers” module somewhat than as a separate part.
This implies legacy methods could possibly be weak even when customers believed they’d patched the problem. Speedy motion is required: Improve Tika-core to model 3.2.2 or later. This single replace addresses the vulnerability throughout all elements.
Apache advises organizations utilizing older 1.x variations to contact your software program vendor instantly for patched releases. Don’t await computerized updates.
As a brief mitigation, limit PDF file uploads from untrusted exterior sources till patching is full.
Organizations that deal with delicate paperwork, monetary data, authorized papers, and private information face an elevated danger from this vulnerability.
Apache Tika maintainers have launched fixes, however deployment stays vital. Safety groups ought to prioritize this patch of their vulnerability administration processes.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
