csaf_certbund - wid-sec-w-2025-1883

WID-SEC-W-2025-1883

Vulnerability from csaf_certbund - Published: 2025-08-20 22:00 - Updated: 2025-12-04 23:00

Summary

Apache Tika: Schwachstelle ermöglicht Infogewinn oder Manipulation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Das Apache Tika-Toolkit erkennt und extrahiert Metadaten und Text aus vielen verschiedenen Dateitypen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tika ausnutzen, um sensible Daten auszulesen oder bösartige Anfragen an interne Ressourcen oder Server von Drittanbietern auszulösen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Das Apache Tika-Toolkit erkennt und extrahiert Metadaten und Text aus vielen verschiedenen Dateitypen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tika ausnutzen, um sensible Daten auszulesen oder b\u00f6sartige Anfragen an interne Ressourcen oder Server von Drittanbietern auszul\u00f6sen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1883 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1883.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1883 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1883"
      },
      {
        "category": "external",
        "summary": "Apache Tika Mailing List vom 2025-08-20",
        "url": "https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w"
      },
      {
        "category": "external",
        "summary": "Apache Tika Security vom 2025-08-20",
        "url": "https://tika.apache.org/security.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2389910 vom 2025-08-20",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389910"
      },
      {
        "category": "external",
        "summary": "Elastic Security Announcement ESA-2025-15 vom 2025-08-28",
        "url": "https://discuss.elastic.co/t/enterprise-search-8-18-6-8-19-3-security-update-esa-2025-15-cve-2025-54988/381428"
      },
      {
        "category": "external",
        "summary": "Elastic Security Announcement ESA-2025-14 vom 2025-08-28",
        "url": "https://discuss.elastic.co/t/elasticsearch-8-18-6-8-19-3-9-0-6-and-9-1-3-security-update-esa-2025-14-cve-2025-54988/381427"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2025-09-19",
        "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124164"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4350 vom 2025-10-26",
        "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2025-12-04",
        "url": "https://github.com/advisories/GHSA-f58c-gq56-vjjf"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Tika: Schwachstelle erm\u00f6glicht Infogewinn oder Manipulation",
    "tracking": {
      "current_release_date": "2025-12-04T23:00:00.000+00:00",
      "generator": {
        "date": "2025-12-05T06:52:13.688+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-1883",
      "initial_release_date": "2025-08-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-08-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-08-21T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-25435"
        },
        {
          "date": "2025-08-28T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Elastic aufgenommen"
        },
        {
          "date": "2025-09-21T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von HCL aufgenommen"
        },
        {
          "date": "2025-10-26T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-12-04T23:00:00.000+00:00",
          "number": "6",
          "summary": "CVE und Produkte erg\u00e4nzt,"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.2.2",
                "product": {
                  "name": "Apache Tika \u003c3.2.2",
                  "product_id": "T046404"
                }
              },
              {
                "category": "product_version",
                "name": "3.2.2",
                "product": {
                  "name": "Apache Tika 3.2.2",
                  "product_id": "T046404-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tika:3.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "tika-parser-pdf-module \u003c3.2.2",
                "product": {
                  "name": "Apache Tika tika-parser-pdf-module \u003c3.2.2",
                  "product_id": "T049108"
                }
              },
              {
                "category": "product_version",
                "name": "tika-parser-pdf-module 3.2.2",
                "product": {
                  "name": "Apache Tika tika-parser-pdf-module 3.2.2",
                  "product_id": "T049108-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tika:tika-parser-pdf-module__3.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "tika-parsers \u003c2.0.0",
                "product": {
                  "name": "Apache Tika tika-parsers \u003c2.0.0",
                  "product_id": "T049109"
                }
              },
              {
                "category": "product_version",
                "name": "tika-parsers  2.0.0",
                "product": {
                  "name": "Apache Tika tika-parsers  2.0.0",
                  "product_id": "T049109-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tika:tika-parsers___2.0.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tika"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "14",
                "product": {
                  "name": "HCL Domino 14",
                  "product_id": "T033028",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:domino:14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "12",
                "product": {
                  "name": "HCL Domino 12",
                  "product_id": "T038610",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:domino:12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "14.5",
                "product": {
                  "name": "HCL Domino 14.5",
                  "product_id": "T045951",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:domino:14.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Domino"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.18.6",
                "product": {
                  "name": "Open Source Elasticsearch \u003c8.18.6",
                  "product_id": "T046588"
                }
              },
              {
                "category": "product_version",
                "name": "8.18.6",
                "product": {
                  "name": "Open Source Elasticsearch 8.18.6",
                  "product_id": "T046588-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:elasticsearch:8.18.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.19.3",
                "product": {
                  "name": "Open Source Elasticsearch \u003c8.19.3",
                  "product_id": "T046589"
                }
              },
              {
                "category": "product_version",
                "name": "8.19.3",
                "product": {
                  "name": "Open Source Elasticsearch 8.19.3",
                  "product_id": "T046589-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:elasticsearch:8.19.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.6",
                "product": {
                  "name": "Open Source Elasticsearch \u003c9.0.6",
                  "product_id": "T046596"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.6",
                "product": {
                  "name": "Open Source Elasticsearch 9.0.6",
                  "product_id": "T046596-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:elasticsearch:9.0.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.1.3",
                "product": {
                  "name": "Open Source Elasticsearch \u003c9.1.3",
                  "product_id": "T046597"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.3",
                "product": {
                  "name": "Open Source Elasticsearch 9.1.3",
                  "product_id": "T046597-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:elasticsearch:9.1.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Elasticsearch"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-54988",
      "product_status": {
        "known_affected": [
          "T033028",
          "T046404",
          "T045951",
          "T046589",
          "T049109",
          "T049108",
          "2951",
          "T038610",
          "T046588",
          "T046596",
          "T046597"
        ]
      },
      "release_date": "2025-08-20T22:00:00.000+00:00",
      "title": "CVE-2025-54988"
    },
    {
      "cve": "CVE-2025-66516",
      "product_status": {
        "known_affected": [
          "T033028",
          "T046404",
          "T045951",
          "T046589",
          "T049109",
          "T049108",
          "2951",
          "T038610",
          "T046588",
          "T046596",
          "T046597"
        ]
      },
      "release_date": "2025-08-20T22:00:00.000+00:00",
      "title": "CVE-2025-66516"
    }
  ]
}

CVE-2025-54988 (GCVE-0-2025-54988)

Vulnerability from cvelistv5 – Published: 2025-08-20 20:08 – Updated: 2025-11-04 22:06

Summary

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Severity ?

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t8…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tika PDF parser module	Affected: 1.13 , ≤ 3.2.1 (semver)

Credits

Paras Jain and Yakov Shafranovich of Amazon.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-54988",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-21T13:27:24.270519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-21T14:48:43.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T22:06:45.688Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/20/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/20/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-parser-pdf-module",
          "product": "Apache Tika PDF parser module",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "1.13",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Paras Jain and Yakov Shafranovich of Amazon."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.2, which fixes this issue."
            }
          ],
          "value": "Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-02T12:34:45.683Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tika PDF parser module: XXE vulnerability in PDFParser\u0027s handling of XFA",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-54988",
    "datePublished": "2025-08-20T20:08:49.481Z",
    "dateReserved": "2025-08-04T16:04:26.626Z",
    "dateUpdated": "2025-11-04T22:06:45.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66516 (GCVE-0-2025-66516)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:17 – Updated: 2025-12-05 18:26

Summary

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Severity ?

10 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/s5x3k93nhbkqzztp1…	vendor-advisory
	https://cve.org/CVERecord?id=CVE-2025-54988	related

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache Tika core

Affected: 1.13 , ≤ 3.2.1 (semver)

	Apache Software Foundation	Apache Tika parsers	Affected: 1.13 , < 2.0.0 (semver)
	Apache Software Foundation	Apache Tika PDF parser module	Affected: 2.0.0 , ≤ 3.2.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T18:26:33.915381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T18:26:45.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-core",
          "product": "Apache Tika core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "1.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-parsers",
          "product": "Apache Tika parsers",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "1.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-parser-pdf-module",
          "product": "Apache Tika PDF parser module",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \u003cbr\u003e\u003cbr\u003eThis CVE covers the same vulnerability as in\u0026nbsp;CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \u003cbr\u003e\u003cbr\u003eFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u0026gt;= 3.2.2 would still be vulnerable. \u003cbr\u003e\u003cbr\u003eSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module."
            }
          ],
          "value": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in\u00a0CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:17:24.980Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cve.org/CVERecord?id=CVE-2025-54988"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-66516",
    "datePublished": "2025-12-04T16:17:24.980Z",
    "dateReserved": "2025-12-03T23:11:17.441Z",
    "dateUpdated": "2025-12-05T18:26:45.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1883

CVE-2025-54988 (GCVE-0-2025-54988)

CVE-2025-66516 (GCVE-0-2025-66516)

Tags

Sightings

Nomenclature