CVE-2025-66516: CWE-611 Improper Restriction of XML External Entity Reference in Apache Software Foundation Apache Tika core
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
AI Analysis
Technical Summary
CVE-2025-66516 is a critical vulnerability classified under CWE-611 (Improper Restriction of XML External Entity Reference) affecting Apache Tika core and its associated modules tika-pdf-module and tika-parsers. Apache Tika is widely used for content analysis and document parsing, including PDFs. The vulnerability allows an attacker to craft a malicious XFA (XML Forms Architecture) file embedded within a PDF document that triggers an XML External Entity (XXE) injection when parsed by vulnerable versions of Tika (tika-core versions 1.13 through 3.2.1, tika-pdf-module 2.0.0 through 3.2.1, and tika-parsers 1.13 through 1.28.5). This XXE flaw enables attackers to read arbitrary files on the host system, potentially exfiltrate sensitive data, cause denial of service by resource exhaustion, or execute other XML-based attacks. The vulnerability is exploitable remotely without authentication or user interaction, as it is triggered by simply processing a crafted PDF file. The initial discovery was reported under CVE-2025-54988, which focused on tika-pdf-module, but further analysis revealed that the root cause and fix reside in tika-core, meaning that upgrading only tika-pdf-module is insufficient. Additionally, older 1.x releases include the vulnerable PDFParser in tika-parsers, expanding the affected scope. The CVSS 4.0 vector scores this vulnerability as 10.0 (critical), reflecting its network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No public exploits have been observed yet, but the vulnerability's nature and severity make it a prime target for attackers. Organizations relying on Apache Tika for automated document processing should urgently upgrade to tika-core version 3.2.2 or later and ensure all related modules are consistently updated to mitigate this risk.
Potential Impact
For European organizations, the impact of CVE-2025-66516 is significant due to the widespread use of Apache Tika in document processing workflows across various sectors such as finance, legal, government, and media. Exploitation could lead to unauthorized disclosure of sensitive information, including personal data protected under GDPR, causing regulatory and reputational damage. The ability to execute denial of service attacks may disrupt critical business operations and services. Since the vulnerability can be triggered remotely without authentication, attackers could leverage it to infiltrate networks or pivot to further attacks. The broad range of affected versions and modules increases the likelihood that many organizations have vulnerable deployments, especially those with legacy or partially updated software stacks. The critical severity and ease of exploitation mean that attackers could weaponize this vulnerability rapidly once exploit code becomes available, increasing the urgency for European entities to act. Additionally, the potential for data breaches could have cascading effects on supply chains and partner organizations within Europe.
Mitigation Recommendations
1. Immediately upgrade all Apache Tika components to tika-core version 3.2.2 or later, ensuring that tika-pdf-module and tika-parsers are also updated to compatible secure versions to fully remediate the vulnerability. 2. Conduct a comprehensive inventory of all systems and applications using Apache Tika to identify vulnerable versions, including indirect dependencies in third-party software. 3. Implement strict input validation and sanitization for all XML and PDF files processed by Tika to detect and block malicious XFA content. 4. Employ network-level protections such as sandboxing or isolation for document processing services to limit potential damage from exploitation. 5. Monitor logs and network traffic for unusual activity indicative of XXE exploitation attempts, including unexpected outbound connections or file access patterns. 6. Engage with software vendors and open-source communities to track patches and advisories related to Apache Tika. 7. Consider deploying Web Application Firewalls (WAFs) with rules targeting XXE attack signatures in environments exposing document upload or parsing functionalities. 8. Educate development and security teams about the risks of XML external entity vulnerabilities and secure coding practices to prevent similar issues in the future.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-66516: CWE-611 Improper Restriction of XML External Entity Reference in Apache Software Foundation Apache Tika core
Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
AI-Powered Analysis
Technical Analysis
CVE-2025-66516 is a critical vulnerability classified under CWE-611 (Improper Restriction of XML External Entity Reference) affecting Apache Tika core and its associated modules tika-pdf-module and tika-parsers. Apache Tika is widely used for content analysis and document parsing, including PDFs. The vulnerability allows an attacker to craft a malicious XFA (XML Forms Architecture) file embedded within a PDF document that triggers an XML External Entity (XXE) injection when parsed by vulnerable versions of Tika (tika-core versions 1.13 through 3.2.1, tika-pdf-module 2.0.0 through 3.2.1, and tika-parsers 1.13 through 1.28.5). This XXE flaw enables attackers to read arbitrary files on the host system, potentially exfiltrate sensitive data, cause denial of service by resource exhaustion, or execute other XML-based attacks. The vulnerability is exploitable remotely without authentication or user interaction, as it is triggered by simply processing a crafted PDF file. The initial discovery was reported under CVE-2025-54988, which focused on tika-pdf-module, but further analysis revealed that the root cause and fix reside in tika-core, meaning that upgrading only tika-pdf-module is insufficient. Additionally, older 1.x releases include the vulnerable PDFParser in tika-parsers, expanding the affected scope. The CVSS 4.0 vector scores this vulnerability as 10.0 (critical), reflecting its network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No public exploits have been observed yet, but the vulnerability's nature and severity make it a prime target for attackers. Organizations relying on Apache Tika for automated document processing should urgently upgrade to tika-core version 3.2.2 or later and ensure all related modules are consistently updated to mitigate this risk.
Potential Impact
For European organizations, the impact of CVE-2025-66516 is significant due to the widespread use of Apache Tika in document processing workflows across various sectors such as finance, legal, government, and media. Exploitation could lead to unauthorized disclosure of sensitive information, including personal data protected under GDPR, causing regulatory and reputational damage. The ability to execute denial of service attacks may disrupt critical business operations and services. Since the vulnerability can be triggered remotely without authentication, attackers could leverage it to infiltrate networks or pivot to further attacks. The broad range of affected versions and modules increases the likelihood that many organizations have vulnerable deployments, especially those with legacy or partially updated software stacks. The critical severity and ease of exploitation mean that attackers could weaponize this vulnerability rapidly once exploit code becomes available, increasing the urgency for European entities to act. Additionally, the potential for data breaches could have cascading effects on supply chains and partner organizations within Europe.
Mitigation Recommendations
1. Immediately upgrade all Apache Tika components to tika-core version 3.2.2 or later, ensuring that tika-pdf-module and tika-parsers are also updated to compatible secure versions to fully remediate the vulnerability. 2. Conduct a comprehensive inventory of all systems and applications using Apache Tika to identify vulnerable versions, including indirect dependencies in third-party software. 3. Implement strict input validation and sanitization for all XML and PDF files processed by Tika to detect and block malicious XFA content. 4. Employ network-level protections such as sandboxing or isolation for document processing services to limit potential damage from exploitation. 5. Monitor logs and network traffic for unusual activity indicative of XXE exploitation attempts, including unexpected outbound connections or file access patterns. 6. Engage with software vendors and open-source communities to track patches and advisories related to Apache Tika. 7. Consider deploying Web Application Firewalls (WAFs) with rules targeting XXE attack signatures in environments exposing document upload or parsing functionalities. 8. Educate development and security teams about the risks of XML external entity vulnerabilities and secure coding practices to prevent similar issues in the future.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-12-03T23:11:17.441Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6931b6d8739651d5d52faf55
Added to database: 12/4/2025, 4:29:12 PM
Last enriched: 12/4/2025, 4:42:30 PM
Last updated: 12/5/2025, 3:12:47 AM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-12804: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevelop Booking Calendar
MediumCVE-2025-11759: CWE-352 Cross-Site Request Forgery (CSRF) in watchful Backup, Restore and Migrate your sites with XCloner
MediumCVE-2025-62223: CWE-451: User Interface (UI) Misrepresentation of Critical Information in Microsoft Microsoft Edge (Chromium-based)
MediumCVE-2025-14052: Improper Access Controls in youlaitech youlai-mall
MediumCVE-2025-13373: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Advantech iView
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.