AI description
CVE-2025-54988 is a critical XML External Entity (XXE) vulnerability found in Apache Tika's PDF parser module (tika-parser-pdf-module). It affects Apache Tika versions 1.13 through 3.2.1. The vulnerability exists in how the PDFParser handles XML Forms Architecture (XFA) content within PDF documents. An attacker can exploit this vulnerability by crafting a malicious XFA file embedded within a PDF document. This allows for XML External Entity injection attacks, potentially enabling the attacker to read sensitive files from the target system, access internal network resources, or trigger requests to external servers. The vulnerability affects multiple Tika packages including tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
- Description
- Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
- Source
- security@apache.org
- NVD status
- Modified
- Products
- tika
CVSS 3.1
- Type
- Secondary
- Base score
- 8.4
- Impact score
- 5.9
- Exploitability score
- 2.5
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-611
- Hype score
- Not currently trending
🚨 Apache Tika [—] Dec 12, 2025 Product Security Advisory: Multiple Critical XXE Vulnerabilities in Apache Tika Modules (CVE-2025-66516, CVE-2025-54988) Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1 https://t.co/QuwNtEgYh1 #LLM https://t.co/HPdVT66IXX
@transilienceai
12 Dec 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 CVE-2025-54988 & CVE-2025-66516 - Apache Tika XXE Flaws Apache Tika has two critical XXE vulnerabilities allowing attackers to read sensitive files and trigger malicious server-side requests via crafted documents. CVE-2025-54988 affects PDF parser through XFA forms embe
@the_c_protocol
9 Dec 2025
98 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected URL: https://t.co/OH49vp9LZ9 Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 10.0
@samilaiho
9 Dec 2025
553 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Apache warns of critical 10.0 CVE-2025-66516 in Tika toolkit, used for metadata extraction from 1,000+ file formats. Flaw follows earlier XXE issue CVE-2025-54988, patching advised. #Vulnerability https://t.co/gkTrkkBhc0
@threatcluster
8 Dec 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Critical XXE https://t.co/y887roOQYI This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages.
@oss_security
4 Dec 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - mgthuramoemyint/POC-CVE-2025-54988: A PDF generator for CVE-2025-54988 - https://t.co/T6wwq9wWu3
@piedpiper1616
4 Sept 2025
2200 Impressions
11 Retweets
19 Likes
11 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en Apache Tika ❗CVE-2025-54988 ➡️Más info: https://t.co/UcJptKeLLZ https://t.co/xg3JJAv9GJ
@CERTpy
27 Aug 2025
95 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Heads up, #CyberSecurity pros! 🚨 Critical XXE vulnerability (CVE-2025-54988) found in Apache Tika's PDF Parser. Attackers can access sensitive data! If you're on versions 1.13-3.2.1, update to Tika 3.2.2 NOW to secure your systems. Don't delay! 👇 https://t.co/sFY2cQ3AEi
@fernandokarl
21 Aug 2025
51 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Apache Tika に重大な脆弱性(CVE-2025-54988)が報告された。 対象は PDF パーサーモジュール(org.apache.tika:tika-parser-pdf-module)で、1.13 から 3.2.1 までの全バージョンが影響を受ける。 原因は PDF 内の XML Forms Architecture
@yousukezan
21 Aug 2025
731 Impressions
0 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA https://t.co/KDcajwdZRg Severity: critical
@oss_security
20 Aug 2025
9116 Impressions
13 Retweets
47 Likes
27 Bookmarks
0 Replies
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "06E31452-81F9-4B50-A6E1-EE8FE3E148BD",
"versionEndExcluding": "3.2.2",
"versionStartIncluding": "1.13"
}
],
"operator": "OR"
}
]
}
]