CVE-2025-66516
published 2025-12-04CVE-2025-66516: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.81%
99.6th percentile
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.
Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tika | >= 0 < 1.22-2+deb11u1 | 1.22-2+deb11u1 |
| apache | tika | >= 1.13 < 3.2.2 | 3.2.2 |
| debian | tika | < tika 1.22-2+deb11u1 (bullseye) | tika 1.22-2+deb11u1 (bullseye) |
| ubuntu | tika | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)"; flow:established,to_server; http.request_body; content:"|25|PDF|2d|1|2e|"; content:"|0a 2f|NeedAppearances|20|"; fast_pattern; content:"|0a 2f|XFA|20|"; content:"|3c 21|ENTITY|20|"; distance:0; content:"|20|SYSTEM|20|"; distance:0; reference:url,xz.aliyun.com/news/90783; reference:cve,2025-66516; classtype:web-application-attack; sid:2066322; rev:1; metadata:affected_product Apache_Tika, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_15, cve CVE_2025_66516, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|25|PDF|2d|1|2e|
bytes
|0a 2f|NeedAppearances|20|
bytes
|0a 2f|XFA|20|
bytes
|3c 21|ENTITY|20|
bytes
|20|SYSTEM|20|
- →Exploit is delivered as a PUT request to /tika with Content-Type: application/pdf containing a crafted PDF with an embedded XFA block that declares an XXE ENTITY with a SYSTEM reference (e.g., file:///etc/passwd). Successful exploitation returns content matching 'root:.*:0:0:' in the response body. ↗
- →A canary/error-based detection variant sends a PDF with an XFA ENTITY pointing to a non-existent file (file:///tmp/xxe_test_nonexistent_12345); a vulnerable server returns HTTP 200 with 'FileNotFoundException' or 'No such file' in the body, confirming XXE processing. ↗
- →Network detection should look for HTTP request bodies containing the PDF magic bytes (%PDF-1.), followed by /NeedAppearances, /XFA, <!ENTITY, and SYSTEM keywords — all characteristic of the crafted XFA-in-PDF XXE payload.
- →Shodan/FOFA exposure query for potentially vulnerable Apache Tika instances: title:"Apache Tika" / title="Apache Tika".
- →The vulnerability is triggered specifically when Apache Tika processes a PDF containing an XFA (XML Forms Architecture) stream with an external entity declaration. Monitor Tika server logs for PDF parse errors referencing XFA or external entity resolution failures.
- ·Upgrading only tika-parser-pdf-module is insufficient — the vulnerable code resides in tika-core. Systems that upgraded tika-parser-pdf-module but left tika-core at < 3.2.2 remain exploitable. ↗
- ·For 1.x Tika deployments, the affected module is org.apache.tika:tika-parsers (versions 1.13–1.28.5), not tika-parser-pdf-module. Both module families must be assessed. ↗
- ·Exploitation is unauthenticated and requires no user interaction — any network-accessible Apache Tika endpoint that accepts PDF input is at risk. ↗
- ·Beyond file disclosure, successful XXE exploitation can also enable SSRF, data tampering, and potential elevation of privileges due to the ability to initiate arbitrary requests to internal or external network resources. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.4HIGH
osv8.4HIGH
vendor_oracle10.0HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Apache Tika vulnerabilities
vendor_ubuntu·2026-05-27
CVE-2025-54988 Apache Tika vulnerabilities
Title: Apache Tika vulnerabilities
Summary: Several security issues were fixed in Apache Tika.
It was discovered that Apache Tika incorrectly handled XML external
entities when parsing XFA content in PDF files. An attacker could possibly
use this issue to obtain sensitive information or send malicious requests
to internal resources or third-party servers.
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Commerce Risk Matrix: Workbench (Apache Tika) — CVE-2025-66516
vendor_oracle·2026-01-15·CVSS 10.0
CVE-2025-66516 [HIGH] Oracle Oracle Commerce Risk Matrix: Workbench (Apache Tika) — CVE-2025-66516
Oracle Oracle Commerce Risk Matrix: Workbench (Apache Tika) vulnerability
CVE: CVE-2025-66516
CVSS: 10.0
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Red Hat
tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
vendor_redhat·2025-12-04·CVSS 8.4
CVE-2025-66516 [HIGH] CWE-611 tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2
Debian
CVE-2025-66516: tika - Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1...
vendor_debian·2025·CVSS 8.4
CVE-2025-66516 [HIGH] CVE-2025-66516: tika - Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1...
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
Scope: local
GHSA
Apache Tika has XXE vulnerability
ghsa·2025-12-04·CVSS 8.4
CVE-2025-66516 [HIGH] CWE-611 Apache Tika has XXE vulnerability
Apache Tika has XXE vulnerability
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.
Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.t
OSV
Apache Tika has XXE vulnerability
osv·2025-12-04·CVSS 8.4
CVE-2025-66516 [HIGH] Apache Tika has XXE vulnerability
Apache Tika has XXE vulnerability
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.
Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.t
OSV
CVE-2025-66516: Critical XXE in Apache Tika tika-core (1
osv·2025-12-04·CVSS 8.4
CVE-2025-66516 [HIGH] CVE-2025-66516: Critical XXE in Apache Tika tika-core (1
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
Suricata
ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)
suricata·2025-12-15·CVSS 8.4
CVE-2025-66516 [HIGH] ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)
ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)"; flow:established,to_server; http.request_body; content:"|25|PDF|2d|1|2e|"; content:"|0a 2f|NeedAppearances|20|"; fast_pattern; content:"|0a 2f|XFA|20|"; content:"|3c 21|ENTITY|20|"; distance:0; content:"|20|SYSTEM|20|"; distance:0; reference:url,xz.aliyun.com/news/90783; reference:cve,2025-66516; classtype:web-application-attack; sid:2066322; rev:1; metadata:affected_product Apache_Tika, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_15, cve CVE_2025_66516, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, ta
Nuclei
Apache Tika - XML External Entity Injection
nuclei·CVSS 9.8
CVE-2025-66516 [CRITICAL] Apache Tika - XML External Entity Injection
Apache Tika - XML External Entity Injection
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
Template:
id: CVE-2025-66516
info:
name: Apache Tika - XML External Entity Injection
author: MathematicianGoat
severity: high
description: |
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
impact: |
Attackers can exploit XXE to read local files or ca
Bugzilla
CVE-2025-66516 tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
bugzilla·2025-12-04·CVSS 8.4
CVE-2025-66516 [HIGH] CVE-2025-66516 tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
CVE-2025-66516 tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade ti
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
2025-12-04
Published