cbcvebase.
CVE-2025-66516
published 2025-12-04

CVE-2025-66516: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.81%
99.6th percentile
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachetika>= 0 < 1.22-2+deb11u11.22-2+deb11u1
apachetika>= 1.13 < 3.2.23.2.2
debiantika< tika 1.22-2+deb11u1 (bullseye)tika 1.22-2+deb11u1 (bullseye)
ubuntutika

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /tika HTTP/1.1
path/tika
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516)"; flow:established,to_server; http.request_body; content:"|25|PDF|2d|1|2e|"; content:"|0a 2f|NeedAppearances|20|"; fast_pattern; content:"|0a 2f|XFA|20|"; content:"|3c 21|ENTITY|20|"; distance:0; content:"|20|SYSTEM|20|"; distance:0; reference:url,xz.aliyun.com/news/90783; reference:cve,2025-66516; classtype:web-application-attack; sid:2066322; rev:1; metadata:affected_product Apache_Tika, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_15, cve CVE_2025_66516, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|25|PDF|2d|1|2e|
bytes
|0a 2f|NeedAppearances|20|
bytes
|0a 2f|XFA|20|
bytes
|3c 21|ENTITY|20|
bytes
|20|SYSTEM|20|
  • Exploit is delivered as a PUT request to /tika with Content-Type: application/pdf containing a crafted PDF with an embedded XFA block that declares an XXE ENTITY with a SYSTEM reference (e.g., file:///etc/passwd). Successful exploitation returns content matching 'root:.*:0:0:' in the response body.
  • A canary/error-based detection variant sends a PDF with an XFA ENTITY pointing to a non-existent file (file:///tmp/xxe_test_nonexistent_12345); a vulnerable server returns HTTP 200 with 'FileNotFoundException' or 'No such file' in the body, confirming XXE processing.
  • Network detection should look for HTTP request bodies containing the PDF magic bytes (%PDF-1.), followed by /NeedAppearances, /XFA, <!ENTITY, and SYSTEM keywords — all characteristic of the crafted XFA-in-PDF XXE payload.
  • Shodan/FOFA exposure query for potentially vulnerable Apache Tika instances: title:"Apache Tika" / title="Apache Tika".
  • The vulnerability is triggered specifically when Apache Tika processes a PDF containing an XFA (XML Forms Architecture) stream with an external entity declaration. Monitor Tika server logs for PDF parse errors referencing XFA or external entity resolution failures.
  • ·Upgrading only tika-parser-pdf-module is insufficient — the vulnerable code resides in tika-core. Systems that upgraded tika-parser-pdf-module but left tika-core at < 3.2.2 remain exploitable.
  • ·For 1.x Tika deployments, the affected module is org.apache.tika:tika-parsers (versions 1.13–1.28.5), not tika-parser-pdf-module. Both module families must be assessed.
  • ·Exploitation is unauthenticated and requires no user interaction — any network-accessible Apache Tika endpoint that accepts PDF input is at risk.
  • ·Beyond file disclosure, successful XXE exploitation can also enable SSRF, data tampering, and potential elevation of privileges due to the ability to initiate arbitrary requests to internal or external network resources.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.4HIGH
osv8.4HIGH
vendor_oracle10.0HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.