Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

A newly disclosed security flaw in Apache Tika has been rated a maximum-severity threat, prompting urgent calls for users to update affected components. The vulnerability, tracked as CVE-2025-66516, carries a CVSS score of 10.0 and enables attackers to execute XML External Entity (XXE) injection attacks through specially crafted PDF files.

XXE Flaw Impacts Multiple Apache Tika Modules

According to project maintainers, the flaw affects several widely used Maven packages across Tika’s core and parsing modules. The issue arises when a maliciously constructed XFA file embedded inside a PDF triggers unsafe XML processing.

Affected packages include:

• tika-core versions 1.13 to 3.2.1 — patched in 3.2.2
• tika-parser-pdf-module versions 2.0.0 to 3.2.1 — patched in 3.2.2
• tika-parsers versions 1.13 to 1.28.5 — patched in 2.0.0

XXE vulnerabilities allow attackers to manipulate how applications process XML, potentially granting access to sensitive server files and, in severe cases, enabling remote code execution.

Related Flaws and Expanded Scope

The Apache Tika team said this vulnerability expands upon a similar issue, CVE-2025-54988, disclosed in August 2025. Although that flaw had a lower CVSS score of 8.4, CVE-2025-66516 affects a broader set of components.

The maintainers highlighted two critical oversights in the earlier advisory:

1. Root cause located in tika-core — Users who updated only the PDF parsing module remained exposed if they did not also update tika-core to version 3.2.2 or later.
2. Impact on 1.x releases — The earlier advisory did not note that the vulnerable PDFParser existed within the tika-parsers module in legacy 1.x versions.

Urgent Update Recommended

Given the gravity of the flaw and its potential to compromise server environments, developers and administrators are strongly advised to apply the latest patches immediately.

Updating to the fixed versions — tika-core 3.2.2, tika-parser-pdf-module 3.2.2, and tika-parsers 2.0.0 — is essential to mitigate exploitation risk.