High severityNVD Advisory· Published Aug 2, 2019· Updated Aug 4, 2024

CVE-2019-10094

Description

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A quine zip file causes StackOverflowError in Apache Tika RecursiveParserWrapper (versions 1.7-1.21); upgrade to 1.22.

Vulnerability

Overview

CVE-2019-10094 is a denial-of-service vulnerability in Apache Tika's RecursiveParserWrapper, affecting versions 1.7 through 1.21. The wrapper is designed to recursively parse embedded files within archives. A specially crafted compressed file that, when decompressed, yields an identical copy of itself (a quine) triggers infinite recursion. This leads to a StackOverflowError because the parser lacks a depth limit or cycle detection mechanism [1].

Exploitation

An attacker can exploit this vulnerability by supplying a malicious file to any Tika instance that uses RecursiveParserWrapper. No authentication is required if the service accepts user-uploaded content. The attack is straightforward: the quine archive acts as a zip bomb, causing the parser to recurse indefinitely until the stack overflows.

Impact

Successful exploitation results in a denial-of-service condition. The application crashes due to the stack overflow, potentially disrupting services that rely on Tika for file content extraction. There is no evidence of code execution or data compromise.

Mitigation

Apache Tika users should upgrade to version 1.22 or later, which includes a fix that prevents infinite recursion. No workaround is documented for earlier versions [1].

References

NVD - CVE-2019-10094

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tika:tika-coreMaven	>= 1.7, < 1.22	1.22

Affected products

ghsa-coords46 versions
pkg:maven/org.apache.tika/tika-core pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/cpu-mitigations-formula&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/pgjdbc-ng&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/pgjdbc-ng&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/pxe-default-image-sle15&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/python-susemanager-retail&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/python-urlgrabber&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/susemanager-sync-data&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%20Module%204.0 pkg:rpm/suse/virtual-host-gatherer&distro=SUSE%20Manager%20Server%20Module%204.0
>= 1.7, < 1.22+ 45 more
- (no CPE)range: >= 1.7, < 1.22
- (no CPE)range: < 2.6.6-6.22.1
- (no CPE)range: < 3.0.0+git20190806.32c4bae0-7.3.7
- (no CPE)range: < 0.1-4.6.7
- (no CPE)range: < 4.0.10-3.6.8
- (no CPE)range: < 4.0-9.3.8
- (no CPE)range: < 0.7.1-2.6.1
- (no CPE)range: < 0.7.1-3.3.8
- (no CPE)range: < 0.4-3.3.7
- (no CPE)range: < 4.0.0-20191106084601
- (no CPE)range: < 2016.11.10-6.32.1
- (no CPE)range: < 2016.11.10-10.8.8
- (no CPE)range: < 1.0.1568808472.be9f236-3.6.7
- (no CPE)range: < 3.10.2.1py2_3-6.22.6
- (no CPE)range: < 2.8.25.11-3.23.1
- (no CPE)range: < 4.0.16-3.6.7
- (no CPE)range: < 4.0.8-3.3.8
- (no CPE)range: < 2.8.57.19-3.39.2
- (no CPE)range: < 4.0.27-3.13.9
- (no CPE)range: < 2.8.5.16-3.22.1
- (no CPE)range: < 4.0.14-3.6.8
- (no CPE)range: < 4.0.12-3.6.8
- (no CPE)range: < 2.8.22.5-3.6.1
- (no CPE)range: < 4.0.10-3.6.8
- (no CPE)range: < 4.0.13-3.3.7
- (no CPE)range: < 2.8.78.24-3.38.1
- (no CPE)range: < 4.0.25-3.10.5
- (no CPE)range: < 2.8.7.8-3.19.1
- (no CPE)range: < 4.0.11-3.6.7
- (no CPE)range: < 2.8.18.5-3.9.1
- (no CPE)range: < 4.0.13-3.6.8
- (no CPE)range: < 2.8.7.19-3.36.1
- (no CPE)range: < 4.0.16-3.9.8
- (no CPE)range: < 3.2.20-3.31.2
- (no CPE)range: < 4.0.17-3.6.9
- (no CPE)range: < 4.0-10.9.8
- (no CPE)range: < 3.2-11.32.1
- (no CPE)range: < 4.0-10.9.7
- (no CPE)range: < 3.2.21-3.31.1
- (no CPE)range: < 4.0.16-3.8.5
- (no CPE)range: < 3.2.27-3.35.1
- (no CPE)range: < 4.0.22-3.10.4
- (no CPE)range: < 4.0.13-3.6.7
- (no CPE)range: < 1.22-3.9.1
- (no CPE)range: < 1.22-3.3.7
- (no CPE)range: < 1.0.19-3.3.8
Apache/Apache Tikav5
Range: 1.7 to 1.21

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-mm7m-xg4h-6m52ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10094ghsaADVISORY
lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d@%3Cdev.tika.apache.org%3EghsaWEB
lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94@%3Cdev.tika.apache.org%3EghsaWEB
lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d@%3Cdev.tika.apache.org%3EghsaWEB
lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3a3d71fb72ef61%40%3Cdev.tika.apache.org%3Emitrex_refsource_CONFIRM
lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3a3d71fb72ef61@%3Cdev.tika.apache.org%3EghsaWEB
lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000