CVE-2025-66516
BaseFortify
Publication date: 2025-12-04
Last updated on: 2025-12-30
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | tika | From 1.13 (inc) to 3.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical XML External Entity (XXE) injection flaw in Apache Tika's tika-core, tika-pdf-module, and tika-parsers modules. It allows an attacker to exploit the XML processing by crafting a malicious XFA file inside a PDF, which can trigger the XXE attack. This can lead to unauthorized access or manipulation of data during XML parsing.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute XML External Entity injection attacks, potentially leading to unauthorized data access, data leakage, or denial of service. Because the CVSS score is 10.0 (critical), it indicates a high impact with no required privileges or user interaction, meaning an attacker can exploit it remotely and easily, severely compromising affected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Apache Tika components to versions where tika-core is at least 3.2.2 or higher. Ensure that tika-core, tika-pdf-module, and tika-parsers are all updated to non-vulnerable versions to prevent XML External Entity injection via crafted XFA files inside PDFs.