A Highly Critical XXE Vulnerability Discovered in Apache Tika: Immediate System Updates Required

A new and extremely dangerous vulnerability has been identified in the Apache Tika platform. Registered as CVE-2025-66516, this flaw has received the maximum CVSS score of 10.0. The vulnerability allows an attacker to infiltrate the system through a specially crafted PDF file and steal server data using XML External Entity (XXE) injection.

How does the vulnerability work?

The attacker embeds a malicious XFA (XML Forms Architecture) file inside a PDF. When Apache Tika analyzes the document, it processes the harmful XML content, which can lead to:

reading confidential files on the server,
accessing internal system directories,
and in some cases — remote code execution (RCE).

Which versions are affected?

The vulnerability exists in the following Apache Tika components:

tika-core: versions 1.13 – 3.2.1 (fixed in 3.2.2)
tika-parser-pdf-module: versions 2.0.0 – 3.2.1 (fixed in 3.2.2)
tika-parsers (1.x): versions 1.13 – 1.28.5 (fixed in 2.0.0)

It is important to note that some users may have updated only the PDF parser module. However, since the root cause of the vulnerability lies in the tika-core module, failing to update it leaves the system exposed.

Why is this vulnerability so dangerous?

It can be triggered simply by uploading a PDF document.
Apache Tika runs automatically in the background in many systems.
XXE vulnerabilities enable attackers to steal confidential files, configurations, and system information.
Tika is integrated into major infrastructures — document processing pipelines, indexing systems, AI workflows, and search services.

As a result, a single flaw can undermine the security of the entire infrastructure.

What needs to be done?

The Apache Tika team urges all users to urgently update to the following versions:

tika-core: 3.2.2
tika-parser-pdf-module: 3.2.2
tika-parsers (1.x): 2.0.0

If your organization uses automated document-processing systems, the risk becomes even greater. Therefore, it is essential to thoroughly audit all servers and services.

CVE-2025-66516 is one of the most critical vulnerabilities ever discovered in Apache Tika.
A simple PDF file can cause severe damage, lead to data theft, and bypass system security.
Timely updates and strengthened security measures are the best way to prevent potential attacks.

Computer Emergency
Response Team

Computer Emergency
Response Team

A Highly Critical XXE Vulnerability Discovered in Apache Tika: Immediate System Updates Required

How does the vulnerability work?

Which versions are affected?

Why is this vulnerability so dangerous?

What needs to be done?

How does the vulnerability work?

Which versions are affected?

Why is this vulnerability so dangerous?

What needs to be done?

Dangerous Vulnerabilities in Adobe Acrobat and Reader: Risk of Full System Compromise

A Critical Vulnerability Discovered in Windows Defender Firewall

Critical SSO Flaw in the Fortinet Ecosystem: Unauthorized Administrator-Level Access via FortiCloud Identified