Apache Tika, a widely used content detection and analysis framework, has been found vulnerable to a critical XML External Entity (XXE) injection flaw tracked as CVE-2025-66516. This vulnerability affects multiple modules: tika-core versions from 1.13 to 3.2.1, tika-pdf-module versions 2.0.0 to 3.2.1, and tika-parsers versions 1.13 to 1.28.5. The flaw allows attackers to craft malicious XFA (XML Forms Architecture) files embedded within PDFs that, when processed by vulnerable Tika modules, trigger XXE injection. This can lead to unauthorized disclosure of server files and potentially remote code execution due to the way XML external entities are handled. The vulnerability is an expansion of a previously patched issue (CVE-2025-54988) but with a broader scope because the fix was initially applied only to tika-parser-pdf-module and not tika-core, leaving many users still exposed if they did not upgrade tika-core accordingly. Additionally, older 1.x releases with PDFParser in tika-parsers were also vulnerable. The vulnerability is platform-independent and affects all systems running the vulnerable versions. Exploitation requires no authentication and can be triggered by processing a malicious PDF file, making it a high-risk vector for attackers. The Apache Tika team has released patched versions (3.2.2 for tika-core and tika-pdf-module, and 2.0.0 for tika-parsers) to remediate the issue. Given the criticality and ease of exploitation, immediate patching is essential to prevent potential data breaches and system compromise.

For European organizations, the impact of CVE-2025-66516 is severe. Apache Tika is commonly integrated into enterprise content management systems, document processing workflows, and data ingestion pipelines across sectors such as finance, government, healthcare, and legal services. Exploitation could allow attackers to access sensitive internal files, intellectual property, or personally identifiable information (PII), violating GDPR and other data protection regulations. Remote code execution capabilities could enable attackers to deploy malware, establish persistent footholds, or pivot within networks, leading to widespread disruption and data loss. The vulnerability's ease of exploitation via crafted PDFs increases the risk of targeted attacks, especially in environments where untrusted documents are routinely processed. This can also affect cloud service providers and SaaS platforms based in Europe that utilize Apache Tika for content analysis. The reputational damage and regulatory penalties from breaches exploiting this flaw could be substantial. Therefore, the threat poses a critical operational and compliance risk to European organizations.

1. Immediately upgrade all Apache Tika components to the patched versions: tika-core and tika-pdf-module to 3.2.2 or later, and tika-parsers to 2.0.0 or later. 2. Audit all systems and applications that use Apache Tika for document parsing, especially those processing PDFs, to ensure no vulnerable versions remain in use. 3. Implement strict input validation and sanitization for all XML and PDF inputs before processing to detect and block malicious payloads. 4. Employ sandboxing or containerization for document processing services to limit the impact of potential exploitation. 5. Monitor logs and network traffic for unusual file access patterns or outbound connections that could indicate exploitation attempts. 6. Educate developers and system administrators about the risks of XXE and secure coding practices related to XML processing. 7. Consider disabling or restricting XFA form processing if not required by business processes. 8. Review and update incident response plans to include scenarios involving XXE exploitation and remote code execution. 9. Coordinate with third-party vendors and cloud providers to confirm their Apache Tika components are patched. 10. Regularly scan software dependencies for vulnerabilities and apply updates promptly to prevent similar risks.