CVE-2019-10088
Description
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted zip file can cause a denial of service (OOM) in Apache Tika's RecursiveParserWrapper versions 1.7 to 1.21.
Vulnerability
Overview
CVE-2019-10088 is a denial-of-service vulnerability in Apache Tika, a content analysis toolkit. A carefully crafted or corrupt zip file can trigger an out-of-memory (OOM) condition in the RecursiveParserWrapper component, crashing the application. The issue affects Apache Tika versions 1.7 through 1.21 [1].
Attack
Vector
An attacker exploits this flaw by delivering a malicious ZIP file to a vulnerable Apache Tika instance. No authentication is required if the attacker can provide the file directly (e.g., via upload), making the attack surface broad in environments where untrusted files are processed.
Impact
Successful exploitation results in a denial of service—the application runs out of memory and becomes unavailable. This can disrupt services relying on Apache Tika for document parsing, such as content extraction or file analysis pipelines.
Mitigation
Apache Tika version 1.22 fixes the vulnerability by improving memory handling during zip processing. Users are advised to upgrade to 1.22 or later. No workaround is provided in the advisory [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-coreMaven | >= 1.7, < 1.22 | 1.22 |
Affected products
47- ghsa-coords46 versionspkg:maven/org.apache.tika/tika-corepkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/cpu-mitigations-formula&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/pgjdbc-ng&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/pgjdbc-ng&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/pxe-default-image-sle15&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/python-susemanager-retail&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/python-urlgrabber&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/susemanager-sync-data&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/virtual-host-gatherer&distro=SUSE%20Manager%20Server%20Module%204.0
>= 1.7, < 1.22+ 45 more
- (no CPE)range: >= 1.7, < 1.22
- (no CPE)range: < 2.6.6-6.22.1
- (no CPE)range: < 3.0.0+git20190806.32c4bae0-7.3.7
- (no CPE)range: < 0.1-4.6.7
- (no CPE)range: < 4.0.10-3.6.8
- (no CPE)range: < 4.0-9.3.8
- (no CPE)range: < 0.7.1-2.6.1
- (no CPE)range: < 0.7.1-3.3.8
- (no CPE)range: < 0.4-3.3.7
- (no CPE)range: < 4.0.0-20191106084601
- (no CPE)range: < 2016.11.10-6.32.1
- (no CPE)range: < 2016.11.10-10.8.8
- (no CPE)range: < 1.0.1568808472.be9f236-3.6.7
- (no CPE)range: < 3.10.2.1py2_3-6.22.6
- (no CPE)range: < 2.8.25.11-3.23.1
- (no CPE)range: < 4.0.16-3.6.7
- (no CPE)range: < 4.0.8-3.3.8
- (no CPE)range: < 2.8.57.19-3.39.2
- (no CPE)range: < 4.0.27-3.13.9
- (no CPE)range: < 2.8.5.16-3.22.1
- (no CPE)range: < 4.0.14-3.6.8
- (no CPE)range: < 4.0.12-3.6.8
- (no CPE)range: < 2.8.22.5-3.6.1
- (no CPE)range: < 4.0.10-3.6.8
- (no CPE)range: < 4.0.13-3.3.7
- (no CPE)range: < 2.8.78.24-3.38.1
- (no CPE)range: < 4.0.25-3.10.5
- (no CPE)range: < 2.8.7.8-3.19.1
- (no CPE)range: < 4.0.11-3.6.7
- (no CPE)range: < 2.8.18.5-3.9.1
- (no CPE)range: < 4.0.13-3.6.8
- (no CPE)range: < 2.8.7.19-3.36.1
- (no CPE)range: < 4.0.16-3.9.8
- (no CPE)range: < 3.2.20-3.31.2
- (no CPE)range: < 4.0.17-3.6.9
- (no CPE)range: < 4.0-10.9.8
- (no CPE)range: < 3.2-11.32.1
- (no CPE)range: < 4.0-10.9.7
- (no CPE)range: < 3.2.21-3.31.1
- (no CPE)range: < 4.0.16-3.8.5
- (no CPE)range: < 3.2.27-3.35.1
- (no CPE)range: < 4.0.22-3.10.4
- (no CPE)range: < 4.0.13-3.6.7
- (no CPE)range: < 1.22-3.9.1
- (no CPE)range: < 1.22-3.3.7
- (no CPE)range: < 1.0.19-3.3.8
- Apache/Apache Tikav5Range: 1.7 to 1.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-mfwh-gqx8-c787ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10088ghsaADVISORY
- lists.apache.org/thread.html/1c63555609b737c20d1bbfa4a3e73ec488e3408a84e2f5e47e1b7e08%40%3Cdev.tika.apache.org%3Emitrex_refsource_CONFIRM
- lists.apache.org/thread.html/1c63555609b737c20d1bbfa4a3e73ec488e3408a84e2f5e47e1b7e08@%3Cdev.tika.apache.org%3EghsaWEB
- lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d@%3Cdev.tika.apache.org%3EghsaWEB
- lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94@%3Cdev.tika.apache.org%3EghsaWEB
- lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d@%3Cdev.tika.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190828-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190828-0004/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.