Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 6 December 2025 19:26
A critical vulnerability has been published in Apache Tika that could allow an XML external entity injection attack, known as XXE . The vulnerability, classified as CVE-2025-66516, has a CVE severity rating of 10.0, indicating maximum severity.
CVE-2025-66516 is believed to be identical to CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework, which was fixed by the project maintainers in August 2025. The new CVE, the Apache Tika team said, broadens the scope of affected packages in two ways.
The critical flaw exists in the Apache Tika modules, specifically tika-core (versions 1.13 to 3.2.1), tika-pdf-module (versions 2.0.0 to 3.2.1), and tika-parsers (versions 1.13 to 1.28.5), on all platforms, and allows an attacker to inject external XML entities via a forged XFA file embedded in a PDF.
This affects the following Maven packages:
“First, although the vulnerability’s entry point was the tika-parser-pdf module, as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” the team stated. ” Users who updated the tika-parser-pdf module but did not update tika-core to version >= 3.2.2 would still be vulnerable.”
Given the criticality of the vulnerability, users are advised to apply updates as soon as possible to mitigate potential threats.
Redazione