Warning: Critical vulnerability in Apache Tika modules can lead to data exfiltration and internal network reconnaissance, Patch Immediately!

    * Last update:  05/12/2025
   
    * Affected products:
  → Apache Tika

    * Type: XML External Entity injection

    * CVE/CVSS:

• CVE-2025-66516: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• CVE-2025-54988: CVSS 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Apache advisory (CVE-2025-66516) - https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
Apache advisory (CVE-2025-54988) - https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w

Risks

In December 2025, the Apache Software Foundation released an advisory concerning a critical vulnerability in certain Apache Tika modules. CVE-2025-66516 extends a previously released vulnerability (CVE-2025-54988). Apache warns that systems which had patched to a previous upgrade might still be vulnerable.

Apache Tika is a toolkit to detect and extract metadata and text from different files. It is used for search engine indexing, content analysis and translation among other uses. The document parsing library is widely used. Threat actors could attempt to target this technology to access sensitive data and trigger malicious requests to internal systems. An attacker could leverage this vulnerability for data exfiltration, resource exhaustion and internal network reconnaissance. This vulnerability has a high impact on confidentiality, integrity and availability.

There is no report of active exploitation (cut-off date: 05 December 2025).

Description

CVE-2025-66516 is a flaw in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules. A successful threat actor could carry out an  XML External Entity injection via a crafted XFA file inside of a PDF. This could lead a successful attacker to gain access to unauthorized data and to perform server-side request forgery attacks.

CVE-2025-66516 extends the scope of a previously released vulnerability with the identifier CVE-2025-54988. CVE-2025-54988 is an XXE injection flaw in Apache Tika’s PDF parser module. Apache Tika packages that depend on this PDF parser modules including ika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard are vulnerable.

The Apache Software Foundation issued a second CVE identifier (CVE-2025-66516) for the same flaw because the flaw and its fix are in the tika-core module. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. In addition, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

If an immediate upgrade to a non-vulnerable version is not feasible, the CCB recommends disabling the PDF parser, and using a lightweight pre-processor to scan PDF headers and reject any PDF that contains the string /AcroForm or any reference to XFA forms.

The CCB also recommends deploying web application firewall rules to detect and block XML payloads attempting to define external entities.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Cyber Security News article - https://cybersecuritynews.com/apache-tika-pdf-parser-vulnerability/
Upwind Security article - https://www.upwind.io/feed/apache-tika-rce-cve-2025-66516