CVE-2025-54988

Published Aug 20, 2025

Last updated 20 hours ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-54988 is a critical XML External Entity (XXE) vulnerability found in Apache Tika's PDF parser module (tika-parser-pdf-module). It affects Apache Tika versions 1.13 through 3.2.1. The vulnerability exists in how the PDFParser handles XML Forms Architecture (XFA) content within PDF documents. An attacker can exploit this vulnerability by crafting a malicious XFA file embedded within a PDF document. This allows for XML External Entity injection attacks, potentially enabling the attacker to read sensitive files from the target system, access internal network resources, or trigger requests to external servers. The vulnerability affects multiple Tika packages including tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Description
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Source
security@apache.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-611

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

2

  1. Heads up, #CyberSecurity pros! 🚨 Critical XXE vulnerability (CVE-2025-54988) found in Apache Tika's PDF Parser. Attackers can access sensitive data! If you're on versions 1.13-3.2.1, update to Tika 3.2.2 NOW to secure your systems. Don't delay! 👇 https://t.co/sFY2cQ3AEi

    @fernandokarl

    21 Aug 2025

    51 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. Apache Tika に重大な脆弱性(CVE-2025-54988)が報告された。 対象は PDF パーサーモジュール(org.apache.tika:tika-parser-pdf-module)で、1.13 から 3.2.1 までの全バージョンが影響を受ける。 原因は PDF 内の XML Forms Architecture

    @yousukezan

    21 Aug 2025

    731 Impressions

    0 Retweets

    3 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA https://t.co/KDcajwdZRg Severity: critical

    @oss_security

    20 Aug 2025

    9116 Impressions

    13 Retweets

    47 Likes

    27 Bookmarks

    0 Replies

    1 Quote

References

Sources include official advisories and independent security research.