CVE-2025-66516: CWE-611 Improper Restriction of XML External Entity Reference in Apache Software Foundation Apache Tika core
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
AI Analysis
Technical Summary
CVE-2025-66516 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting the Apache Software Foundation's Apache Tika core and associated modules (tika-core versions 1.13 through 3.2.1, tika-pdf-module 2.0.0 through 3.2.1, and tika-parsers 1.13 through 1.28.5). The vulnerability stems from improper restriction of XML external entity references during the parsing of XFA (XML Forms Architecture) files embedded within PDF documents. Attackers can craft malicious PDFs containing specially designed XFA content that triggers the XXE flaw, allowing them to read arbitrary files, cause denial of service, or potentially execute code depending on the environment. The vulnerability was initially reported as CVE-2025-54988, focusing on tika-parser-pdf-module, but CVE-2025-66516 expands the scope to include tika-core and tika-parsers modules, clarifying that partial upgrades leave systems vulnerable. The CVSS v3.1 base score is 8.4, reflecting high severity with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation requires the ability to submit or process crafted PDFs locally or in an environment where Tika processes untrusted documents automatically. The vulnerability affects all platforms supported by Apache Tika. No known exploits in the wild have been reported yet, but the potential impact is significant due to the widespread use of Apache Tika for content detection and metadata extraction in enterprise document workflows. The fix is included in tika-core version 3.2.2 and later; users must upgrade all related modules to fully remediate the issue.
Potential Impact
For European organizations, the impact of CVE-2025-66516 can be severe. Apache Tika is widely used in document processing pipelines, content management systems, and data extraction tools across various sectors including finance, government, healthcare, and legal services. Exploitation of this XXE vulnerability could lead to unauthorized disclosure of sensitive information, including internal files and credentials, undermining confidentiality. Integrity could be compromised if attackers manipulate parsed data or inject malicious content. Availability may also be affected through denial-of-service conditions caused by crafted XML payloads. Given the local attack vector, environments that automatically process untrusted PDFs—such as email gateways, document ingestion services, or automated compliance systems—are at heightened risk. The vulnerability could facilitate lateral movement within networks or data exfiltration, impacting compliance with GDPR and other data protection regulations. The lack of required privileges or user interaction lowers the barrier for exploitation in multi-tenant or cloud environments. Consequently, organizations face potential regulatory penalties, reputational damage, and operational disruption if this vulnerability is exploited.
Mitigation Recommendations
To mitigate CVE-2025-66516 effectively, European organizations should: 1) Perform a comprehensive inventory of all Apache Tika components in use, including tika-core, tika-pdf-module, and tika-parsers, across all systems and environments. 2) Upgrade all affected Apache Tika modules to version 3.2.2 or later simultaneously to ensure complete remediation, avoiding partial upgrades that leave tika-core vulnerable. 3) Implement strict input validation and sanitization for all PDF files processed, especially those containing XFA forms, to detect and block malicious XML entities. 4) Where feasible, sandbox or isolate document processing workflows to limit the impact of potential exploitation, using containerization or dedicated parsing services with minimal privileges. 5) Monitor logs and network traffic for unusual file access patterns or XML parsing errors indicative of XXE exploitation attempts. 6) Review and tighten file system permissions for services running Apache Tika to minimize data exposure in case of compromise. 7) Educate developers and system administrators about the risks of XXE and the importance of coordinated module upgrades. 8) Consider deploying runtime application self-protection (RASP) or web application firewalls (WAFs) with XXE detection capabilities to provide an additional layer of defense.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-66516: CWE-611 Improper Restriction of XML External Entity Reference in Apache Software Foundation Apache Tika core
Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
AI-Powered Analysis
Technical Analysis
CVE-2025-66516 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting the Apache Software Foundation's Apache Tika core and associated modules (tika-core versions 1.13 through 3.2.1, tika-pdf-module 2.0.0 through 3.2.1, and tika-parsers 1.13 through 1.28.5). The vulnerability stems from improper restriction of XML external entity references during the parsing of XFA (XML Forms Architecture) files embedded within PDF documents. Attackers can craft malicious PDFs containing specially designed XFA content that triggers the XXE flaw, allowing them to read arbitrary files, cause denial of service, or potentially execute code depending on the environment. The vulnerability was initially reported as CVE-2025-54988, focusing on tika-parser-pdf-module, but CVE-2025-66516 expands the scope to include tika-core and tika-parsers modules, clarifying that partial upgrades leave systems vulnerable. The CVSS v3.1 base score is 8.4, reflecting high severity with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation requires the ability to submit or process crafted PDFs locally or in an environment where Tika processes untrusted documents automatically. The vulnerability affects all platforms supported by Apache Tika. No known exploits in the wild have been reported yet, but the potential impact is significant due to the widespread use of Apache Tika for content detection and metadata extraction in enterprise document workflows. The fix is included in tika-core version 3.2.2 and later; users must upgrade all related modules to fully remediate the issue.
Potential Impact
For European organizations, the impact of CVE-2025-66516 can be severe. Apache Tika is widely used in document processing pipelines, content management systems, and data extraction tools across various sectors including finance, government, healthcare, and legal services. Exploitation of this XXE vulnerability could lead to unauthorized disclosure of sensitive information, including internal files and credentials, undermining confidentiality. Integrity could be compromised if attackers manipulate parsed data or inject malicious content. Availability may also be affected through denial-of-service conditions caused by crafted XML payloads. Given the local attack vector, environments that automatically process untrusted PDFs—such as email gateways, document ingestion services, or automated compliance systems—are at heightened risk. The vulnerability could facilitate lateral movement within networks or data exfiltration, impacting compliance with GDPR and other data protection regulations. The lack of required privileges or user interaction lowers the barrier for exploitation in multi-tenant or cloud environments. Consequently, organizations face potential regulatory penalties, reputational damage, and operational disruption if this vulnerability is exploited.
Mitigation Recommendations
To mitigate CVE-2025-66516 effectively, European organizations should: 1) Perform a comprehensive inventory of all Apache Tika components in use, including tika-core, tika-pdf-module, and tika-parsers, across all systems and environments. 2) Upgrade all affected Apache Tika modules to version 3.2.2 or later simultaneously to ensure complete remediation, avoiding partial upgrades that leave tika-core vulnerable. 3) Implement strict input validation and sanitization for all PDF files processed, especially those containing XFA forms, to detect and block malicious XML entities. 4) Where feasible, sandbox or isolate document processing workflows to limit the impact of potential exploitation, using containerization or dedicated parsing services with minimal privileges. 5) Monitor logs and network traffic for unusual file access patterns or XML parsing errors indicative of XXE exploitation attempts. 6) Review and tighten file system permissions for services running Apache Tika to minimize data exposure in case of compromise. 7) Educate developers and system administrators about the risks of XXE and the importance of coordinated module upgrades. 8) Consider deploying runtime application self-protection (RASP) or web application firewalls (WAFs) with XXE detection capabilities to provide an additional layer of defense.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-12-03T23:11:17.441Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6931b6d8739651d5d52faf55
Added to database: 12/4/2025, 4:29:12 PM
Last enriched: 1/15/2026, 11:56:49 AM
Last updated: 1/19/2026, 12:29:37 AM
Views: 1141
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-23829: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in axllent mailpit
MediumCVE-2025-15539: Denial of Service in Open5GS
MediumCVE-2026-23733: CWE-94: Improper Control of Generation of Code ('Code Injection') in lobehub lobe-chat
MediumCVE-2025-15538: Use After Free in Open Asset Import Library Assimp
MediumCVE-2026-23644: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in esm-dev esm.sh
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.