CVE-2018-1339
Description
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted CHM file triggers an infinite loop in Apache Tika's ChmParser, affecting versions before 1.18.
Vulnerability
Apache Tika versions before 1.18 contain an infinite loop vulnerability in the ChmParser when processing a specially crafted CHM (Compiled HTML) file. The bug resides in the enumerateChmDirectoryListingList method, which iterates over directory listing blocks without cycle detection, allowing a malicious file to cause an endless loop [3][4].
Exploitation
An attacker can exploit this vulnerability by providing a crafted CHM file to an application that uses Apache Tika for document parsing. No authentication or special network access is required; the attack vector involves user interaction such as opening a file or uploading it to a service [3].
Impact
Successful exploitation results in a denial of service (DoS) due to infinite loop, which can lead to resource exhaustion (CPU and memory) and application hang [2][3]. No code execution or data leakage is implied.
Mitigation
The issue is fixed in Apache Tika 1.18 [1][3][4]. Users should upgrade to version 1.18 or later. For Red Hat Fuse 7.1, the fix is included in the RHSA-2018:2669 advisory [2]. No known workarounds are available for earlier versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-parsersMaven | < 1.18 | 1.18 |
Affected products
2- Apache Software Foundation/Apache Tikav5Range: < 1.18
Patches
11 file changed · +10 −2
tika-parsers/src/main/java/org/apache/tika/parser/chm/accessor/ChmDirectoryListingSet.java+10 −2 modified@@ -20,7 +20,9 @@ import java.math.BigInteger; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; import org.apache.tika.exception.TikaException; import org.apache.tika.parser.chm.core.ChmCommons; @@ -137,6 +139,7 @@ private void enumerateChmDirectoryListingList(ChmItsfHeader chmItsHeader, /* loops over all pmgls */ byte[] dir_chunk = null; + Set<Integer> processed = new HashSet<>(); for (int i = startPmgl; i>=0; ) { dir_chunk = new byte[(int) chmItspHeader.getBlock_len()]; int start = i * (int) chmItspHeader.getBlock_len() + dir_offset; @@ -147,10 +150,15 @@ private void enumerateChmDirectoryListingList(ChmItsfHeader chmItsHeader, PMGLheader = new ChmPmglHeader(); PMGLheader.parse(dir_chunk, PMGLheader); enumerateOneSegment(dir_chunk); - - i=PMGLheader.getBlockNext(); + int nextBlock = PMGLheader.getBlockNext(); + processed.add(i); + if (processed.contains(nextBlock)) { + throw new ChmParsingException("already processed block; avoiding cycle"); + } + i=nextBlock; dir_chunk = null; } + System.out.println("done"); } catch (ChmParsingException e) { LOG.warn("Chm parse exception", e); } finally {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- access.redhat.com/errata/RHSA-2018:2669ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-p699-3wgc-7h72ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1339ghsaADVISORY
- github.com/apache/tika/commit/1b6ca3685c196cfd89f5f95c19cc919ce10c5affghsaWEB
- lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.