CVE-2025-66516

High

Published: 04 December 2025

Published

04 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0158 81.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same…

vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the XXE flaw in Apache Tika modules by upgrading tika-core to 3.2.2 or higher and affected dependencies.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables periodic scanning to identify systems with vulnerable versions of tika-core, tika-pdf-module, and tika-parsers affected by this XXE vulnerability.

SI-10 Information Input Validation partial match

prevent

Provides input validation to check and reject crafted PDF files containing malicious XFA that could trigger XXE injection during Tika parsing.

Security SummaryAI

CVE-2025-66516 is a critical XML External Entity (XXE) vulnerability, classified under CWE-611, affecting Apache Tika's tika-core module versions 1.13 through 3.2.1, tika-pdf-module versions 2.0.0 through 3.2.1, and tika-parsers module versions 1.13 through 1.28.5 on all platforms. The flaw enables attackers to conduct XXE injection by processing a crafted XFA file embedded inside a PDF document. This CVE covers the same vulnerability as CVE-2025-54988 but expands the scope in two key ways: the root issue and fix are in tika-core, meaning upgrades to tika-pdf-module alone are insufficient if tika-core remains below 3.2.2; additionally, in Tika 1.x releases, the PDFParser resides in the tika-parsers module.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), yielding high impacts on confidentiality, integrity, and availability (CVSSv3.1 score of 8.4). An attacker can leverage the XXE via the crafted PDF to inject external entities when the affected Tika modules parse the file.

The Apache advisory, referenced in the mailing list thread, recommends upgrading tika-core to version 3.2.2 or higher as the primary mitigation, emphasizing that partial upgrades to dependent modules like tika-pdf-module do not resolve the issue. Further details on the original report and expanded scope are available in the CVE-2025-54988 record.

Details

CWE(s): CWE-611

Affected Products

apache

tika

1.13 — 3.2.2

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

XXE vulnerability directly enables local file disclosure by processing crafted PDFs, facilitating Data from Local System (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cve.org/CVERecord?id=CVE-2025-54988
Third Party Advisory · security@apache.org
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
Vendor Advisory · security@apache.org