Vulnerability Management, Patch/Configuration Management

XML external entity compromise possible with maximum severity Apache Tika bug

Binary code on screen with red glowing "BUG" text, symbolizing software malfunction, coding error, or system glitch. Ideal for tech content, debugging, and cybersecurity topics.

(Adobe Stock)

Open source content analysis toolkit Apache Tika had its core, PDF, and parser modules impacted with a maximum severity vulnerability, tracked as CVE-2025-66516, which could be leveraged in XML external entity attacks, Security Affairs reports.

Malicious XFA files within a PDF could be leveraged to exploit the flaw which affects Apache Tika core versions 1.13 to 3.2.1, Tika PDF parser module versions 2.0.0 to 3.2.1, and Tika parsers versions 1.13 to 1.28.5 to access sensitive internal resources, an alert from Apache warned.

"...[W]hile the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable," said the advisory. Immediate patching of the flaw has been recommended.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassembly

You can skip this ad in 5 seconds