CVE-2025-54988
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | tika | From 1.13 (inc) to 3.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical XML External Entity (XXE) injection flaw in Apache Tika's tika-parser-pdf-module. It occurs when processing a crafted XFA file inside a PDF, allowing an attacker to inject malicious XML entities. This can lead to unauthorized reading of sensitive data or triggering malicious requests to internal or external servers.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to access sensitive information that the application processes or to make unauthorized requests to internal systems or third-party servers, potentially leading to data breaches or further exploitation within your network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to unauthorized disclosure of sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Tika to version 3.2.2, which fixes this critical XXE vulnerability in the tika-parser-pdf-module. This is the immediate and effective mitigation step.