A critical-severity vulnerability in the Apache Tika open source analysis toolkit could allow attackers to perform XML External Entity (XXE) injection attacks.
Apache Tika functions as a universal parser capable of extracting information from virtually all types of files, making it a core part of indexing and analysis tools.
The critical issue, tracked as CVE-2025-66516 (CVSS score of 10/10), impacts the tika-core, tika-pdf-module, and tika-parsers modules of Apache Tika.
Attackers can exploit the flaw via crafted XFA files placed inside PDF files, on all platforms.
Successful exploitation of XXE injection weaknesses could typically lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
Thus, the vulnerability poses a major risk, given the essential role Apache Tika has within search engines, content management systems, and data analysis tools.
CVE-2025-66516, VP of Apache Tika Tim Allison explains in an advisory, expands the scope of CVE-2025-54988 (CVSS score of 8.4), which was publicly disclosed in August.
The original vulnerability, Allison notes, impacts tika-core, but the entry point was the tika-parser-pdf-module package, thus requiring that both packages be updated to fully resolve the bug.
Additionally, he explains, the original report on the XXE flaw did not mention that the PDF parser in the 1.x Tika releases was in the tika-parsers module.
The newly disclosed Apache Tika vulnerability was patched in tika-core version 3.2.2, tika-parser-pdf-module version 3.2.2, and tika-parsers version 2.0.0.
The affected modules are used as dependencies in other packages. Users are advised to apply the patches as soon as possible.
Related: Exploitation of React2Shell Surges
Related: Critical King Addons Vulnerability Exploited to Hack WordPress Sites
Related: Microsoft Silently Mitigated Exploited LNK Vulnerability
