CVE-2025-66516
📋 TL;DR
This critical XXE vulnerability in Apache Tika allows attackers to perform XML External Entity injection via crafted XFA files within PDF documents. It affects all platforms running vulnerable versions of tika-core, tika-pdf-module, and tika-parsers modules. Organizations processing untrusted PDF files with Apache Tika are at risk.
💻 Affected Systems
- Apache Tika tika-core
- Apache Tika tika-pdf-module
- Apache Tika tika-parsers
📦 What is this software?
Tika by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including arbitrary file read, server-side request forgery (SSRF), and potential remote code execution depending on system configuration.
Likely Case
Sensitive file disclosure from the server, internal network reconnaissance via SSRF, and denial of service through resource exhaustion.
If Mitigated
Limited impact if proper input validation and XML parser hardening are implemented, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires only a malicious PDF file with crafted XFA content. No authentication needed if Tika processes untrusted PDFs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tika-core >= 3.2.2, tika-pdf-module >= 3.2.2, tika-parsers >= 1.28.6
Vendor Advisory: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
Restart Required: Yes
Instructions:
1. Identify all Apache Tika installations. 2. Update tika-core to version 3.2.2 or higher. 3. Update tika-pdf-module to version 3.2.2 or higher. 4. Update tika-parsers to version 1.28.6 or higher. 5. Restart all Tika services and applications.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parsers to disable external entity resolution
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, http://apache.org/xml/features/disallow-doctype-decl=true, http://xml.org/sax/features/external-general-entities=false, http://xml.org/sax/features/external-parameter-entities=false
Block XFA processing
allConfigure Tika to reject PDF files containing XFA forms
Set tika.config property: <parser class="org.apache.tika.parser.pdf.PDFParser"><params><param name="allowXFA" type="bool">false</param></params></parser>
🧯 If You Can't Patch
- Implement strict input validation to reject PDF files with XFA content
- Deploy network segmentation and restrict Tika services from accessing sensitive internal resources
🔍 How to Verify
Check if Vulnerable:
Check installed Tika component versions against affected ranges. For Maven projects: mvn dependency:tree | grep tikaCheck Version:
java -cp tika-app.jar org.apache.tika.cli.TikaCLI --versionVerify Fix Applied:
Verify all Tika components are at patched versions: tika-core >= 3.2.2, tika-pdf-module >= 3.2.2, tika-parsers >= 1.28.6📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- External entity resolution attempts in logs
- Unexpected outbound network connections from Tika services
Network Indicators:
- Tika services making unexpected HTTP requests to internal/external systems
- Unusual file read patterns from server
SIEM Query:
source="tika.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "XFA")