Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Maximum-severity XXE vulnerability discovered in Apache Tika

A maximum severity vulnerability in Apache Tika, tracked as CVE-2025-66516 (CVSS score of 10.0), allows XML external entity attacks. CVE-2025-66516 carries a maximum CVSS rating of 10.0 because it lets attackers trigger an XXE injection in Apache Tika’s core, PDF, and parser modules. An attacker can embed a malicious XFA file inside a PDF and […]

Maximum-severity XXE vulnerability discovered in Apache Tika

A maximum severity vulnerability in Apache Tika, tracked as CVE-2025-66516 (CVSS score of 10.0), allows XML external entity attacks.

CVE-2025-66516 carries a maximum CVSS rating of 10.0 because it lets attackers trigger an XXE injection in Apache Tika’s core, PDF, and parser modules. An attacker can embed a malicious XFA file inside a PDF and trick Tika into processing external XML entities, opening a path to sensitive internal resources.

Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from virtually any type of file. Tika is widely used in systems like search indexes, document ingestion pipelines (e.g., Apache Solr, Elasticsearch), compliance tools, and content analysis platforms.

“Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988.” reads the advisory. “However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”

XXE injection (XML External Entity injection) is a type of security vulnerability that occurs when an application parses XML input insecurely and allows attackers to load external entities, special XML features that reference files or URLs outside the document.

The vulnerability affects the following versions:

  • Apache Tika core (org.apache.tika:tika-core) 1.13 through 3.2.1
  • Apache Tika parsers (org.apache.tika:tika-parsers) 1.13 before 2.0.0
  • Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module) 2.0.0 through 3.2.1

According to the advisory, the new CVE describes the same flaw as CVE-2025-54988 but clarifies that the issue is broader. Although it was initially linked to the PDF parser module, the root vulnerability and its fix are actually in tika-core, meaning anyone who updated only the PDF module without upgrading tika-core to version 3.2.2 or later remains exposed. It also notes that older Tika 1.x releases include PDFParser inside the tika-parsers module, expanding the set of affected packages beyond what the first advisory stated.

“This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.” “Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”

The project maintainers urge users to install the updates as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XXE injection)