CVE-2025-66516

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

References

Affected packages

Git / github.com/apache/tika

Affected ranges

Type: GIT
Repo: https://github.com/apache/tika
Events: Introduced

386b68b5ae87beafacfb63f33e0a9888dedb9c30

Fixed

c5c9d00e475d48226dfe3f80a2891bfa5426043a

Affected versions

1.*

1.13

1.13-rc1

1.14

1.14-rc1

1.15

1.15-rc1

1.16

1.17

2.*

2.0.0

2.0.0-ALPHA

2.0.0-BETA

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

3.*

3.0.0

3.0.0-BETA

3.0.0-BETA2

3.1.0

3.2.0

3.2.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66516.json"