Critical XXE Vulnerability in Apache Tika (CVE-2025-66516)

First reported

05.12.2025 18:23

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical XML External Entity (XXE) injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately. The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages and highlights the importance of upgrading both the tika-parser-pdf-module and tika-core to mitigate the risk.

Timeline

05.12.2025 18:23 1 articles · 23h ago

Critical XXE Vulnerability in Apache Tika (CVE-2025-66516) Disclosed
A critical XXE injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately.
Show sources

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
Open in new tab

Information Snippets

CVE-2025-66516 is an XXE injection vulnerability in Apache Tika with a CVSS score of 10.0.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
The vulnerability affects tika-core versions 1.13 to 3.2.1, tika-pdf-module versions 2.0.0 to 3.2.1, and tika-parsers versions 1.13 to 1.28.5.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
Patched versions are tika-core 3.2.2, tika-pdf-module 3.2.2, and tika-parsers 2.0.0.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
Users who upgraded tika-parser-pdf-module but not tika-core remain vulnerable.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
The 1.x Tika releases' PDFParser was in the tika-parsers module, which was not mentioned in the original report.
First reported: 05.12.2025 18:23

1 source, 1 article
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23

Summary

Timeline

Critical XXE Vulnerability in Apache Tika (CVE-2025-66516) Disclosed

Information Snippets