Apache has issued a security advisory for a newly expanded XML External Entity (XXE) vulnerability affecting multiple components of Apache Tika, the widely used content analysis toolkit. The flaw, tracked as CVE-2025-66516 and rated critical, impacting Tika’s core library, parser modules, and PDF parser module.
According to Apache’s disclosure, the vulnerability allows attackers to perform XML External Entity injection by embedding a crafted XFA file inside a PDF. When Tika processes the file, the parser may load external XML entities, potentially exposing internal files or network resources.
The affected versions include:
- tika-core: 1.13 through 3.2.1
- tika-parsers: 1.13 before 2.0.0
- tika-parser-pdf-module: 2.0.0 through 3.2.1
Apache also clarified its previous vulnerability report which identified the PDF parser module as the entry point, but deeper investigation revealed the underlying flaw and fix resided in tika-core.
CVE-2025-66516 is a critical XXE vulnerability affecting Apache Tika’s core, parser, and PDF parser packages across multiple versions. Users should verify whether their deployments rely on any affected components and update immediately, especially if previous patching was limited only to the PDF parser module.
Leave a Reply