Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Posted on By CWS

Dec 05, 2025Ravie LakshmananApplication Safety / Vulnerability
A vital safety flaw has been disclosed in Apache Tika that would end in an XML exterior entity (XXE) injection assault.
The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating most severity.
“Essential XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms permits an attacker to hold out XML Exterior Entity injection by way of a crafted XFA file inside a PDF,” in response to an advisory for the vulnerability.

It impacts the next Maven packages –

org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in model 3.2.2)
org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in model 3.2.2)
org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in model 2.0.0)

XXE injection refers to an online safety vulnerability that permits an attacker to intrude with an utility’s processing of XML knowledge. This, in flip, makes it doable to entry information on the applying server file system and, in some instances, even, obtain distant code execution.
CVE-2025-66516 is assessed to be the identical as CVE-2025-54988 (CVSS rating: 8.4), one other XXE flaw within the content material detection and evaluation framework that was patched by the venture maintainers in August 2025. The brand new CVE, the Apache Tika workforce stated, expands the scope of affected packages in two methods.
“First, whereas the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its repair have been in tika-core,” the workforce stated. “Customers who upgraded the tika-parser-pdf-module however didn’t improve tika-core to >= 3.2.2 would nonetheless be weak.”
“Second, the unique report failed to say that within the 1.x Tika releases, the PDFParser was within the “org.apache.tika:tika-parsers” module.”
In gentle of the criticality of the vulnerability, customers are suggested to use the updates as quickly as doable to mitigate potential threats.

The Hacker News Tags:, , , , , , , , , ,

Related Posts

Rust-Based VENON Malware Targets Brazilian Banks Rust-Based VENON Malware Targets Brazilian Banks The Hacker News
FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections The Hacker News
Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts The Hacker News
Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats The Hacker News
Key Findings from the Blue Report 2025 Key Findings from the Blue Report 2025 The Hacker News
New ClickFix Campaign Exploits Sites for MIMICRAT Deployment New ClickFix Campaign Exploits Sites for MIMICRAT Deployment The Hacker News