A critical security vulnerability, designated CVE-2025-66516, has been discovered in Apache Tika, a widely used content analysis framework. This flaw allows for XML External Entity (XXE) injection attacks, posing a severe risk to applications that rely on Tika for document processing. The vulnerability has been assigned a maximum CVSS score of 10.0, underscoring its extreme severity and the urgent need for remediation by users.
The exploitation of CVE-2025-66516 is achieved through a specifically crafted XFA file embedded within a PDF document. This technique enables attackers to inject malicious XML code, potentially leading to unauthorized access to sensitive files on the application server, and in some instances, enabling remote code execution. The Apache, Tika team confirmed the critical nature of this Apache Tika vulnerability, emphasizing its potential impact on numerous systems.
Understanding the Critical XXE Vulnerability in Apache Tika
The newly identified vulnerability, CVE-2025-66516, is closely related to a previously disclosed XXE flaw, CVE-2025-54988, which received a CVSS score of 8.4. While CVE-2025-54988 was addressed by Apache Tika maintainers in August 2025, the Apache Tika team noted that the scope of the current vulnerability is broader, affecting additional components and versions. The core issue, according to the advisory, lies within the tika-core module, and its fix was present in versions later than 3.2.1.
Furthermore, the Apache Tika team clarified that the original reporting of CVE-2025-54988 did not fully encompass the affected packages. Specifically, in older Apache Tika releases within the 1.x series, the PDF parsing functionalities were located within the org.apache.tika:tika-parsers module. This oversight meant that while some users may have patched the PDF module component as per the earlier advisory, they could still remain vulnerable if their tika-core dependency was not also updated.
Affected Apache Tika Versions and Mitigation Strategies
The vulnerability impacts several key Maven packages within the Apache Tika ecosystem. For the org.apache.tika:tika-core package, versions ranging from 1.13 up to and including 3.2.1 are affected; the fix is available in version 3.2.2. The org.apache.tika:tika-parser-pdf-module is vulnerable in versions from 2.0.0 to 3.2.1, with version 3.2.2 providing the correction. Additionally, the org.apache.tika:tika-parsers module is affected in versions from 1.13 up to, but not including, 2.0.0, with version 2.0.0 addressing the issue.
Given the critical severity of CVE-2025-66516, all users of Apache Tika are strongly advised to immediately update their dependencies to the patched versions. This proactive measure is crucial for preventing potential exploitation of the XXE injection flaw and safeguarding sensitive data. Security professionals are urging organizations to prioritize this update to mitigate risks associated with this severe vulnerability in document processing.
The Apache Tika team will likely continue to monitor for any further exploitation attempts or related vulnerabilities. Users are encouraged to stay informed through official Apache Tika security advisories for any new information or recommendations. The immediate focus for all users remains the timely application of the provided security patches to ensure the integrity and security of their applications that utilize Apache Tika for content analysis and document parsing.