{"uuid": "63aa0cf1-252d-490e-8492-fbddac588c54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected", "description": "Ref: [https://seclists.org/oss-sec/2025/q4/238](https://seclists.org/oss-sec/2025/q4/238)\n\nSeverity: critical\n\nAffected versions:\n\n- Apache Tika core (org.apache.tika:tika-core) 1.13 through 3.2.1\n- Apache Tika parsers (org.apache.tika:tika-parsers) 1.13 before 2.0.0\n- Apache Tika PDF parser module\n(org.apache.tika:tika-parser-pdf-module) 2.0.0 through 3.2.1\n\nDescription:\n\nCritical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module\n(2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms\nallows an attacker to carry out XML External Entity injection via a\ncrafted XFA file inside of a PDF.\n\nThis CVE covers the same vulnerability as in CVE-2025-54988. However,\nthis CVE expands the scope of affected packages in two ways.\n\nFirst, while the entrypoint for the vulnerability was the\ntika-parser-pdf-module as reported in CVE-2025-54988, the\nvulnerability and its fix were in tika-core. Users who upgraded the\ntika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would\nstill be vulnerable.\n\nSecond, the original report failed to mention that in the 1.x Tika\nreleases, the PDFParser was in the \"org.apache.tika:tika-parsers\"\nmodule.\n\nReferences: Ref: [https://seclists.org/oss-sec/2025/q4/238](https://seclists.org/oss-sec/2025/q4/238)", "creation_timestamp": "2025-12-17T06:21:12.485846+00:00", "timestamp": "2025-12-17T06:21:12.485846+00:00", "related_vulnerabilities": ["CVE-2025-54988", "CVE-2025-66516"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}