A critical vulnerability has been published in Apache Tika that could allow an XML external entity injection attack, known as XXE . The vulnerability, classified as CVE-2025-66516, has a CVE severity rating of 10.0, indicating maximum severity.
CVE-2025-66516 is believed to be identical to CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework, which was fixed by the project maintainers in August 2025. The new CVE, the Apache Tika team said, broadens the scope of affected packages in two ways.
The critical flaw exists in the Apache Tika modules, specifically tika-core (versions 1.13 to 3.2.1), tika-pdf-module (versions 2.0.0 to 3.2.1), and tika-parsers (versions 1.13 to 1.28.5), on all platforms, and allows an attacker to inject external XML entities via a forged XFA file embedded in a PDF.
This affects the following Maven packages:
“First, although the vulnerability’s entry point was the tika-parser-pdf module, as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” the team stated. ” Users who updated the tika-parser-pdf module but did not update tika-core to version >= 3.2.2 would still be vulnerable.”
Given the criticality of the vulnerability, users are advised to apply updates as soon as possible to mitigate potential threats.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
