Computing

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

News Room
News Room
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Dec 05, 2025Ravie LakshmananApplication Security / Vulnerability

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

“Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,” according to an advisory for the vulnerability.

Cybersecurity

It affects the following Maven packages –

  • org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

CVE-2025-66516 is assessed to be the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework that was patched by the project maintainers in August 2025. The new CVE, the Apache Tika team said, expands the scope of affected packages in two ways.

“First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” the team said. “Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.”

“Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”

In light of the criticality of the vulnerability, users are advised to apply the updates as soon as possible to mitigate potential threats.

Share This Article
Previous Article Apple CEO succession discussion enters new realm of rampant speculation Apple CEO succession discussion enters new realm of rampant speculation
Next Article This Is Your Last Chance to Save 26% With This Bose Speaker Cyber Week Deal This Is Your Last Chance to Save 26% With This Bose Speaker Cyber Week Deal
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

25 Prompts Every Busy Mom Needs to Know [UPDATED]
25 Prompts Every Busy Mom Needs to Know [UPDATED]
Computing
MacRumors Giveaway: Win an iPhone 17 From GRID Studio
MacRumors Giveaway: Win an iPhone 17 From GRID Studio
News
iPhone 17 vs. iPhone 16: Which Is the Right Choice for You?
iPhone 17 vs. iPhone 16: Which Is the Right Choice for You?
News
Paribu Acquires CoinMENA, MENA’s Largest Local Crypto Exchange | HackerNoon
Paribu Acquires CoinMENA, MENA’s Largest Local Crypto Exchange | HackerNoon
Computing
Lost your password?