Full Report
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an
Analysis Summary
# Vulnerability: Critical XXE Injection in Apache Tika via Crafted PDF
## CVE Details
- CVE ID: CVE-2025-66516
- CVSS Score: 10.0 (Critical)
- CWE: XML External Entity (XXE) Injection (CWE-611 implied)
## Affected Systems
- Products: Apache Tika (tika-core, tika-pdf-module, tika-parsers)
- Versions:
- `tika-core`: Versions from 1.13 up to and including 3.2.1 (Note: 3.2.2 is explicitly mentioned as still vulnerable in one context, suggesting patches might start at 3.2.3 or higher, but precise fixed version is not provided.)
- `tika-pdf-module`: Versions from 2.0.0 up to and including 3.2.1
- `tika-parsers`: Versions from 1.13 up to and including 1.28.5
- Configurations: Affects all platforms where these modules are used, specifically when processing a crafted XFA file embedded within a PDF document.
## Vulnerability Description
A critical XML External Entity (XXE) injection vulnerability exists within several Apache Tika modules. An unauthenticated attacker can exploit this flaw by submitting a specially crafted PDF file. This PDF must contain an malicious XFA (XML Forms Architecture) structure. When Tika parses this malicious file, the XML parser processes the external entity references, leading to an XXE attack.
## Exploitation
- Status: Advisory published; urgent patching advised. (Specific exploitation status like "in the wild" is not mentioned, but severity mandates immediate action.)
- Complexity: Low (Implied by critical nature and specific vector—uploading a malicious file).
- Attack Vector: Network (Delivery of the malicious PDF).
## Impact
- Confidentiality: High (Potential for disclosure of sensitive data accessible via the service running Tika, file reading).
- Integrity: High (Potential for file modification or triggering arbitrary code execution depending on XXE capabilities being leveraged).
- Availability: High (Potential for Denial of Service via resource exhaustion from XXE entity expansion).
## Remediation
### Patches
- Patches are available, and users are strongly advised to update immediately. (Specific patched versions are not explicitly listed in the provided text, except for the statement that versions up to 3.2.2 might still be vulnerable, suggesting users should seek the latest version *after* the vulnerability disclosure window).
### Workarounds
- No specific workarounds are detailed in the provided text, as applying the patch is the primary recommendation due to the 10.0 severity score.
## Detection
- Indicators of Compromise: Monitoring system logs for unexpected outbound network connections or unusual file access attempts originating from services utilizing the Tika PDFParser, especially related to file processing operations.
- Detection Methods and Tools: Intrusion Detection Systems (IDS) or web application firewalls (WAFs) configured to inspect incoming document uploads for XML structures containing DOCTYPE declarations or external entity references (`<!ENTITY`).
## References
- Vendor advisory: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
- NVD Link (Implied): https://nvd.nist.gov/vuln/detail/CVE-2025-66516