CVE-2025-66516 is an XML External Entity (XXE) vulnerability classified under CWE-611, found in Apache Tika core and its associated modules (tika-core versions 1.13 through 3.2.1, tika-pdf-module 2.0.0 through 3.2.1, and tika-parsers 1.13 through 1.28.5). Apache Tika is a widely used content analysis toolkit that extracts metadata and text from various document formats, including PDFs. The vulnerability arises from improper restriction of XML External Entity references when parsing XFA (XML Forms Architecture) files embedded within PDFs. An attacker can craft a malicious PDF containing a specially designed XFA file that triggers the XXE flaw, enabling them to read arbitrary files on the host system, cause denial of service, or execute other malicious actions impacting confidentiality, integrity, and availability. This CVE extends the scope of a previously reported vulnerability (CVE-2025-54988) by clarifying that the root cause and fix reside in tika-core, meaning that upgrading only tika-pdf-module is insufficient; tika-core must also be updated to version 3.2.2 or later. The vulnerability does not require authentication or user interaction, increasing its risk. Despite the high CVSS score of 8.4, no known exploits have been reported in the wild yet. The vulnerability affects all platforms running the vulnerable versions of Apache Tika, which is commonly embedded in enterprise content management systems, search engines, and document processing pipelines.

The impact of CVE-2025-66516 is significant for organizations worldwide that rely on Apache Tika for document parsing and content extraction. Successful exploitation allows attackers to perform XML External Entity injection attacks, which can lead to unauthorized disclosure of sensitive files, server-side request forgery, denial of service, and potentially remote code execution depending on the environment. This compromises confidentiality, integrity, and availability of affected systems. Since Apache Tika is integrated into many enterprise applications, including document management systems, email gateways, and data indexing services, the vulnerability could be leveraged to infiltrate internal networks, exfiltrate sensitive data, or disrupt critical business processes. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the threat surface. Organizations processing untrusted or user-uploaded PDFs are at particular risk. Failure to patch could lead to data breaches, operational downtime, regulatory non-compliance, and reputational damage.

To mitigate CVE-2025-66516, organizations should immediately upgrade all Apache Tika components to tika-core version 3.2.2 or later, ensuring that tika-pdf-module and tika-parsers are also updated to compatible versions to fully address the vulnerability. It is critical to verify that all Tika modules are consistently updated, as upgrading only tika-pdf-module without upgrading tika-core leaves systems vulnerable. Additionally, implement strict input validation and sandboxing for document parsing processes to limit exposure to malicious files. Employ network segmentation and least privilege principles to restrict access to systems running Apache Tika. Monitor logs for unusual XML parsing errors or unexpected file access patterns indicative of XXE exploitation attempts. Where possible, disable or restrict external entity resolution in XML parsers used by Tika if configurable. Finally, conduct regular security assessments and penetration testing focused on document ingestion pipelines to detect potential exploitation.