CVE-2025-54988

CWE-611XML External Entity (XXE)11 documents8 sources
Severity
8.4HIGH
EPSS
0.0%
top 94.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache Tika ParsersApache TikaApache Software Foundation Apache Tika Core+1 more
Timeline
PublishedAug 20
Latest updateJan 15

Description

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standar

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages7 packages

Mavenorg.apache.tika:tika-parsers1.132.0.0-ALPHA
NVDapache/tika1.133.2.2

🔴Vulnerability Details

5
GHSA
Apache Tika has XXE vulnerability2025-12-04
OSV
CVE-2025-54988: Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 12025-08-20
GHSA
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF2025-08-20
OSV
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF2025-08-20
CVEList
Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA2025-08-20

📋Vendor Advisories

4
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Oracle Business Rules (Apache Commons Compress) — CVE-2025-549882026-01-15
Red Hat
org.apache.tika/tika-parser-pdf-module: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA2025-08-20
Debian
CVE-2025-54988: tika - Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through...2025
Apache
Apache tika: CVE-2025-54988
CVE-2025-54988 (HIGH CVSS 8.4) | Critical XXE in Apache Tika (tika-p | cvebase.io