CVE-2025-66516

Published Dec 4, 2025

Last updated a month ago

CVSS high 8.4

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-66516 is a vulnerability found in Apache Tika's tika-core (versions 1.13-3.2.1), tika-pdf-module (versions 2.0.0-3.2.1), and tika-parsers (versions 1.13-1.28.5). It involves an XML External Entity (XXE) injection flaw that can be exploited through a crafted XFA file embedded in a PDF document. This allows an attacker to interfere with the application's processing of XML data. The vulnerability can be triggered when Apache Tika processes a PDF file containing a malicious XFA component. This may allow an attacker to access local files, internal network resources, or other sensitive data on the server where Tika runs. To mitigate this vulnerability, it is recommended to upgrade tika-core to version 3.2.2 or later and to ensure all related Tika components are updated consistently.

Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
Source
security@apache.org
NVD status
Modified
Products
tika

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-611

Social media

Hype score
Not currently trending

  1. ow ow ow, 2in1 bundle from Oracle 🟥 CVE-2026-21962, CVSS: 10.0 (Critical) Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in 🟥 CVE-2025-66516, CVSS: 10.0 (Critical) Apache Tika Oracle HTTP Server vulnerability allows unauthenticated attackers to compromise the serv

    @UjlakiMarci

    21 Jan 2026

    319 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 CVE-2025-66516 - high 🚨 Apache Tika - XML External Entity Injection > Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (... 👾 https://t.co/v4wUVecAup @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    21 Jan 2026

    97 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Oracle January 2026 CPU Ships 337 Security Fixes Across 30+ Product Families Oracle’s January 2026 Critical Patch Update delivers 337 patches, including 115 remotely exploitable flaws requiring no authentication and at least one CVSS 10.0 issue (CVE-2025-66516) impacting

    @ThreatSynop

    21 Jan 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Adobe Fixes Critical Apache Tika (CVE-2025-66516) in ColdFusion With Potential RCE Impact Adobe released ColdFusion updates to patch a critical Apache Tika XXE vulnerability (CVSS 10) that can be triggered via crafted XFA content embedded in PDFs, potentially enabling SSRF/D

    @ThreatSynop

    13 Jan 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #VulnerabilityReport The PDF Trap: Critical Vulnerability (CVE-2025-66516, CVSS 10.0) Hits Apache Tika Core https://t.co/aLQcpc6u0L

    @Komodosec

    11 Jan 2026

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. SECURITY ALERT: CVE-2025-66516 Exploit Fix & Mitigation Guide Read more: https://t.co/OWRMpoFkqY #Cybersecurity #CVE https://t.co/uyLgkxj9jm

    @SecReportCVE

    1 Jan 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. #OCI_ReleaseNotes #Management_Agent 2025年12月18日 "Management Agent Updates" マネジメント・エージェントの新リリースには、重要なセキュリティ修正が含まれ、Apache TikaのCritical XXE(CVE-2025-66516)も修正されています。 https://

    @Candyisdog

    25 Dec 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. #OCI_ReleaseNotes #Management_Agent 2025年12月18日 "Management Agent Updates" マネジメント・エージェントの新リリースには、重要なセキュリティ修正が含まれ、Apache TikaのCritical XXE(CVE-2025-66516)も修正されています。 https://

    @Candyisdog

    19 Dec 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. #Atlassian #fixed maximum #severity flaw CVE-2025-66516 in #Apache_Tika https://t.co/iwWjFLIA8d https://t.co/hB7illZEHQ

    @omvapt

    16 Dec 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. آسیب‌پذیری بحرانی XXE با شناسه CVE-2025-66516 شناسایی شد https://t.co/TC9Y6LvFza

    @MrMtwoj

    12 Dec 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 Apache Tika [—] Dec 12, 2025 Product Security Advisory: Multiple Critical XXE Vulnerabilities in Apache Tika Modules (CVE-2025-66516, CVE-2025-54988) Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1 https://t.co/QuwNtEgYh1 #LLM https://t.co/HPdVT66IXX

    @transilienceai

    12 Dec 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-66516 (Apache Tika) is sitting at a CVSS 10.0. If your app parses PDFs (especially via XFA forms) and you haven't updated tika-core to 3.2.2+, you are wide open to XXE injection. ​This isn't just a "feature bug." It's exfiltration waiting to happen. ​ ​#AppSec #Inf

    @aspidaHQ

    12 Dec 2025

    10 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨แจ้งเตือนช่องโหว่ร้ายแรงใน Apache Tika CVE-2025-66516 ความรุนแรงระดับ 10 ตรวจสอบและแก้ไข ด่วน!! ตรวจพบช่องโหว่ที่มี

    @ThaiCERTByNCSA

    12 Dec 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. ⚠️ Critical XXE Bug in Apache Tika (CVE-2025-66516) https://t.co/eIhqYTAxB4 A newly disclosed XML External Entity (XXE) vulnerability (CVE-2025-66516, CVSS 10.0) affects multiple Tika modules, tika-core (versions 1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers

    @Huntio

    11 Dec 2025

    521 Impressions

    2 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 Apache Tika [—] Dec 11, 2025 Critical XXE Vulnerability (CVE-2025-66516) Impacting Multiple Tika Modules With Highest Severity — Advisory and Mitigation Guidance Checkout our Threat Intelligence Platform: https://t.co/QuwNtEhw6z... https://t.co/KLtRdTpIeY

    @transilienceai

    11 Dec 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch 🚨 Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch A critical security flaw has been disclosed in Apache Tika, exposing XML external entity (XXE) injection h

    @HackonomicNews

    10 Dec 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Implementing checks for CVE-2025-66516 (Apache Tika) in the Vappler engine today. ​A CVSS 10.0 in a PDF parser? That’s nightmare fuel for anyone accepting file uploads. ​Building a scanner means reading the CVEs so you don't have to. MVP coming soon. ​#CVSS #Python #S

    @aspidaHQ

    10 Dec 2025

    93 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  18. New XXE vulnerability CVE-2025-66516 in Apache Tika lets attackers insert malicious XFA content in PDFs, risking server file exposure or remote code execution. #cybersecurity

    @bigmacd16684

    9 Dec 2025

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. 🔴 CVE-2025-54988 & CVE-2025-66516 - Apache Tika XXE Flaws Apache Tika has two critical XXE vulnerabilities allowing attackers to read sensitive files and trigger malicious server-side requests via crafted documents. CVE-2025-54988 affects PDF parser through XFA forms embe

    @the_c_protocol

    9 Dec 2025

    98 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. #Pruva is still alive and kicking CVE-2025-66516 Reproduction with the EXFIL: CVE-2025-66516 - Apache Tika XXE Out-of-Band Data Exfiltration https://t.co/QYOPqrLsUr https://t.co/kvtudu4MaZ

    @N3mes1s

    9 Dec 2025

    2312 Impressions

    8 Retweets

    23 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨Alert🚨:CVE-2025-66516 (CVSS 10.0): Critical XXE Bug Hits Apache Tika 🔥PoC :https://t.co/AgUg8hKP9l 📊12.6K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/xZZGyc6J6L 👇Query HUNTER : https://t.co/q9rtuGgxk7="Apache Tika" https

    @HunterMapping

    9 Dec 2025

    8357 Impressions

    26 Retweets

    108 Likes

    57 Bookmarks

    3 Replies

    0 Quotes

  22. 🚨CVE-2025-66516: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. Scanner: https://t.

    @DarkWebInformer

    8 Dec 2025

    9539 Impressions

    17 Retweets

    93 Likes

    57 Bookmarks

    2 Replies

    0 Quotes

  23. 🚨CVE-2025-66516: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. Scanner: https://t.

    @DarkWebInformer

    8 Dec 2025

    203 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Apache Tika XFAを含むPDFファイルを用いて、XXEインジェクションを誘発できる脆弱性 CVE-2025-66516 CVSS 10.0 Critical このXXEによって、サーバー上の任意ファイルの読み出し、SSRF、DoS、さらにはRCEにつながる可能性があ

    @t_nihonmatsu

    8 Dec 2025

    859 Impressions

    2 Retweets

    12 Likes

    0 Bookmarks

    0 Replies

    2 Quotes

  25. 多くのシステムで使われるApache Tikaに、PDF内のXFAを悪用して外部実体参照を仕掛けられる重大欠陥が見つかった(CVE-2025-66516)。検索基盤やCMSで広く利用されており、放置すれば深刻な被害につながる恐れがある

    @yousukezan

    8 Dec 2025

    1836 Impressions

    5 Retweets

    14 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨CVE-2025-66516 (CVSS 10): Apache Tika Critical XXE Attackers can carry out XML External Entity (XXE) injection via a crafted XFA file inside a PDF. https://t.co/jZPp17r4JM #Apache #Vulnerability #CyberSecurityAwareness https://t.co/izXXn8Prnu

    @ashwesker_

    8 Dec 2025

    234 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🚨🚨CVE-2025-66516 (CVSS 10): Apache Tika Critical XXE Attackers can carry out XML External Entity (XXE) injection via a crafted XFA file inside a PDF. Search by vul.cve Filter👉vul.cve="CVE-2025-66516" ZoomEye Dork👉app="Apache Tika" Over 1.4k exposed instances. ZoomEye

    @zoomeye_team

    8 Dec 2025

    8909 Impressions

    20 Retweets

    129 Likes

    58 Bookmarks

    0 Replies

    0 Quotes

  28. Apache warns of critical 10.0 CVE-2025-66516 in Tika toolkit, used for metadata extraction from 1,000+ file formats. Flaw follows earlier XXE issue CVE-2025-54988, patching advised. #Vulnerability https://t.co/gkTrkkBhc0

    @threatcluster

    8 Dec 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 【脆弱性】Apache Tikaに最も深刻なXXE脆弱性、CVSSスコア10.0で即時対応が必須 広く使われるコンテンツ解析フレームワーク「Apache Tika」に、深刻度が最大レベルとなるXML外部実体参照(XXE)インジェクションの

    @nakajimeeee

    8 Dec 2025

    8424 Impressions

    33 Retweets

    99 Likes

    45 Bookmarks

    0 Replies

    3 Quotes

  30. 重大なXXEバグCVE-2025-66516(CVSS 10.0)がApache Tikaに影響、緊急パッチが必要 https://t.co/WagxZnTocI

    @cloudsec_news

    7 Dec 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. 🚨 Critical security flaw in Apache Tika can lead to XXE injection attack! CVE-2025-66516 rated 10.0 severity. Patch now! #ApacheTika #SecurityVulnerability 🛡️ More Info: https://t.co/rIl4iq5rN2

    @JamaalChalid

    7 Dec 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Apache Tika Hit by Critical XXE Bug CVE-2025-66516 #CyberSecurity #ApacheTika #ZeroDayAlert #cyashadotcom #NZvWI https://t.co/6e9CdPp2RT

    @cyashadotcom

    6 Dec 2025

    57 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 🚨 CRITICAL Alert! A severe XXE bug (CVE-2025-66516) with CVSS 10.0 has been discovered in Apache Tika, requiring urgent patching to prevent serious exploits. #CyberSecurity #Vulnerability https://t.co/KxtmDrICTh

    @xcybersecnews

    6 Dec 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Critical XXE Flaw in Apache Tika Could Expose Sensitive Data A critical vulnerability in Apache Tika (CVE-2025-66516) with CVSS 10.0 enables XML external entity (XXE) attacks. Attackers can exploit this flaw to trigger XXE injections in core, PDF, and parser modules, embedding h

    @Secwiserapp

    6 Dec 2025

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Falha crítica em Apache Tika permite ataque XXE: Vulnerabilidade CVE-2025-66516 com nota máxima (10.0) afeta versões até 3.2.1 de módulos tika-core, tika-pdf-module e tika-parsers, possibilitando injeção de XML por arquivos PDF maliciosos; atualização urgente é recomend

    @caveiratech

    5 Dec 2025

    87 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch https://t.co/P1JvBMx0J9 https://t.co/Qq2prSdN8g

    @evanderburg

    5 Dec 2025

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. The Hacker News - Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch https://t.co/68yFAa0WiL

    @buzz_sec

    5 Dec 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨 Critical Apache Tika flaw (CVE-2025-66516) just dropped — CVSS 10.0. A single fake PDF can trigger an XXE attack, letting hackers read server files or run code. 🔗 Read ↓ https://t.co/FwnUmj5Mgb… Update to v3.2.2 now.

    @prafull_bonde26

    5 Dec 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 Critical Apache Tika flaw (CVE-2025-66516) just dropped — CVSS 10.0. A single fake PDF can trigger an XXE attack, letting hackers read server files or run code. 🔗 Read ↓ https://t.co/MlS9eYXhSF Update to v3.2.2 now.

    @TheHackersNews

    5 Dec 2025

    10997 Impressions

    33 Retweets

    89 Likes

    26 Bookmarks

    1 Reply

    4 Quotes

  40. CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Critical XXE https://t.co/y887roOQYI This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages.

    @oss_security

    4 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.