AI description
CVE-2025-66516 is a vulnerability found in Apache Tika's tika-core (versions 1.13-3.2.1), tika-pdf-module (versions 2.0.0-3.2.1), and tika-parsers (versions 1.13-1.28.5). It involves an XML External Entity (XXE) injection flaw that can be exploited through a crafted XFA file embedded in a PDF document. This allows an attacker to interfere with the application's processing of XML data. The vulnerability can be triggered when Apache Tika processes a PDF file containing a malicious XFA component. This may allow an attacker to access local files, internal network resources, or other sensitive data on the server where Tika runs. To mitigate this vulnerability, it is recommended to upgrade tika-core to version 3.2.2 or later and to ensure all related Tika components are updated consistently.
- Description
- Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
- Source
- security@apache.org
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security@apache.org
- CWE-611
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
16
Apache Tika Hit by Critical XXE Bug CVE-2025-66516 #CyberSecurity #ApacheTika #ZeroDayAlert #cyashadotcom #NZvWI https://t.co/6e9CdPp2RT
@cyashadotcom
6 Dec 2025
57 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL Alert! A severe XXE bug (CVE-2025-66516) with CVSS 10.0 has been discovered in Apache Tika, requiring urgent patching to prevent serious exploits. #CyberSecurity #Vulnerability https://t.co/KxtmDrICTh
@xcybersecnews
6 Dec 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical XXE Flaw in Apache Tika Could Expose Sensitive Data A critical vulnerability in Apache Tika (CVE-2025-66516) with CVSS 10.0 enables XML external entity (XXE) attacks. Attackers can exploit this flaw to trigger XXE injections in core, PDF, and parser modules, embedding h
@Secwiserapp
6 Dec 2025
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Falha crítica em Apache Tika permite ataque XXE: Vulnerabilidade CVE-2025-66516 com nota máxima (10.0) afeta versões até 3.2.1 de módulos tika-core, tika-pdf-module e tika-parsers, possibilitando injeção de XML por arquivos PDF maliciosos; atualização urgente é recomend
@caveiratech
5 Dec 2025
87 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch https://t.co/P1JvBMx0J9 https://t.co/Qq2prSdN8g
@evanderburg
5 Dec 2025
90 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The Hacker News - Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch https://t.co/68yFAa0WiL
@buzz_sec
5 Dec 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Apache Tika flaw (CVE-2025-66516) just dropped — CVSS 10.0. A single fake PDF can trigger an XXE attack, letting hackers read server files or run code. 🔗 Read ↓ https://t.co/FwnUmj5Mgb… Update to v3.2.2 now.
@prafull_bonde26
5 Dec 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Apache Tika flaw (CVE-2025-66516) just dropped — CVSS 10.0. A single fake PDF can trigger an XXE attack, letting hackers read server files or run code. 🔗 Read ↓ https://t.co/MlS9eYXhSF Update to v3.2.2 now.
@TheHackersNews
5 Dec 2025
10997 Impressions
33 Retweets
89 Likes
26 Bookmarks
1 Reply
4 Quotes
CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Critical XXE https://t.co/y887roOQYI This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages.
@oss_security
4 Dec 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes