CVE-2025-54988

Published Aug 20, 2025

Last updated 4 months ago

CVSS high 8.4

Overview

Description
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Source
security@apache.org
NVD status
Modified
Products
tika

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.4
Impact score
5.9
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-611

Social media

Hype score
Not currently trending

  1. 🚨 Apache Tika [—] Dec 12, 2025 Product Security Advisory: Multiple Critical XXE Vulnerabilities in Apache Tika Modules (CVE-2025-66516, CVE-2025-54988) Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1 https://t.co/QuwNtEgYh1 #LLM https://t.co/HPdVT66IXX

    @transilienceai

    12 Dec 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔴 CVE-2025-54988 & CVE-2025-66516 - Apache Tika XXE Flaws Apache Tika has two critical XXE vulnerabilities allowing attackers to read sensitive files and trigger malicious server-side requests via crafted documents. CVE-2025-54988 affects PDF parser through XFA forms embe

    @the_c_protocol

    9 Dec 2025

    98 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected URL: https://t.co/OH49vp9LZ9 Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 10.0

    @samilaiho

    9 Dec 2025

    553 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Apache warns of critical 10.0 CVE-2025-66516 in Tika toolkit, used for metadata extraction from 1,000+ file formats. Flaw follows earlier XXE issue CVE-2025-54988, patching advised. #Vulnerability https://t.co/gkTrkkBhc0

    @threatcluster

    8 Dec 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Critical XXE https://t.co/y887roOQYI This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages.

    @oss_security

    4 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. GitHub - mgthuramoemyint/POC-CVE-2025-54988: A PDF generator for CVE-2025-54988 - https://t.co/T6wwq9wWu3

    @piedpiper1616

    4 Sept 2025

    2200 Impressions

    11 Retweets

    19 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  7. ⚠️Vulnerabilidad en Apache Tika ❗CVE-2025-54988 ➡️Más info: https://t.co/UcJptKeLLZ https://t.co/xg3JJAv9GJ

    @CERTpy

    27 Aug 2025

    95 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Heads up, #CyberSecurity pros! 🚨 Critical XXE vulnerability (CVE-2025-54988) found in Apache Tika's PDF Parser. Attackers can access sensitive data! If you're on versions 1.13-3.2.1, update to Tika 3.2.2 NOW to secure your systems. Don't delay! 👇 https://t.co/sFY2cQ3AEi

    @fernandokarl

    21 Aug 2025

    51 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  9. Apache Tika に重大な脆弱性(CVE-2025-54988)が報告された。 対象は PDF パーサーモジュール(org.apache.tika:tika-parser-pdf-module)で、1.13 から 3.2.1 までの全バージョンが影響を受ける。 原因は PDF 内の XML Forms Architecture

    @yousukezan

    21 Aug 2025

    731 Impressions

    0 Retweets

    3 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA https://t.co/KDcajwdZRg Severity: critical

    @oss_security

    20 Aug 2025

    9116 Impressions

    13 Retweets

    47 Likes

    27 Bookmarks

    0 Replies

    1 Quote

Configurations

Related CVEs

  1. Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.CVE-2025-66516

References

Sources include official advisories and independent security research.