Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA
Description
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-parser-pdf-moduleMaven | >= 1.13, < 3.2.2 | 3.2.2 |
org.apache.tika:tika-parsersMaven | >= 1.13, < 2.0.0-ALPHA | 2.0.0-ALPHA |
Affected products
114- osv-coords113 versionspkg:apk/chainguard/elasticsearch-8pkg:apk/chainguard/elasticsearch-8.17pkg:apk/chainguard/elasticsearch-8.17-bitnamipkg:apk/chainguard/elasticsearch-8.17-configpkg:apk/chainguard/elasticsearch-8-bitnamipkg:apk/chainguard/elasticsearch-8-configpkg:apk/chainguard/elasticsearch-8-iamguardedpkg:apk/chainguard/elasticsearch-9pkg:apk/chainguard/elasticsearch-9-bitnamipkg:apk/chainguard/elasticsearch-9-configpkg:apk/chainguard/elasticsearch-9-iamguardedpkg:apk/chainguard/elasticsearch-configpkg:apk/chainguard/elasticsearch-fips-8pkg:apk/chainguard/elasticsearch-fips-8-bitnamipkg:apk/chainguard/elasticsearch-fips-8-configpkg:apk/chainguard/elasticsearch-fips-8-policy-140-2pkg:apk/chainguard/elasticsearch-fips-8-policy-140-3pkg:apk/chainguard/elasticsearch-fips-9pkg:apk/chainguard/elasticsearch-fips-9.0pkg:apk/chainguard/elasticsearch-fips-9.0-bitnamipkg:apk/chainguard/elasticsearch-fips-9.0-configpkg:apk/chainguard/elasticsearch-fips-9.1pkg:apk/chainguard/elasticsearch-fips-9.1-bitnamipkg:apk/chainguard/elasticsearch-fips-9.1-configpkg:apk/chainguard/elasticsearch-fips-9-bitnamipkg:apk/chainguard/elasticsearch-fips-9-configpkg:apk/chainguard/opensearch-2pkg:apk/chainguard/opensearch-2-alertingpkg:apk/chainguard/opensearch-2-analysis-icupkg:apk/chainguard/opensearch-2-analysis-kuromojipkg:apk/chainguard/opensearch-2-analysis-noripkg:apk/chainguard/opensearch-2-analysis-phoneticpkg:apk/chainguard/opensearch-2-analysis-smartcnpkg:apk/chainguard/opensearch-2-analysis-stempelpkg:apk/chainguard/opensearch-2-analysis-ukrainianpkg:apk/chainguard/opensearch-2-anomaly-detectionpkg:apk/chainguard/opensearch-2-asynchronous-searchpkg:apk/chainguard/opensearch-2-cross-cluster-replicationpkg:apk/chainguard/opensearch-2-crypto-kmspkg:apk/chainguard/opensearch-2-custom-codecspkg:apk/chainguard/opensearch-2-discovery-azure-classicpkg:apk/chainguard/opensearch-2-discovery-ec2pkg:apk/chainguard/opensearch-2-discovery-gcepkg:apk/chainguard/opensearch-2-entrypoint-compatpkg:apk/chainguard/opensearch-2-geospatialpkg:apk/chainguard/opensearch-2-identity-shiropkg:apk/chainguard/opensearch-2-index-managementpkg:apk/chainguard/opensearch-2-ingest-attachmentpkg:apk/chainguard/opensearch-2-job-schedulerpkg:apk/chainguard/opensearch-2-k-nnpkg:apk/chainguard/opensearch-2-mapper-annotated-textpkg:apk/chainguard/opensearch-2-mapper-murmur3pkg:apk/chainguard/opensearch-2-mapper-sizepkg:apk/chainguard/opensearch-2-ml-commonspkg:apk/chainguard/opensearch-2-neural-searchpkg:apk/chainguard/opensearch-2-notificationspkg:apk/chainguard/opensearch-2-observabilitypkg:apk/chainguard/opensearch-2-performance-analyzerpkg:apk/chainguard/opensearch-2-reportingpkg:apk/chainguard/opensearch-2-repository-azurepkg:apk/chainguard/opensearch-2-repository-gcspkg:apk/chainguard/opensearch-2-repository-s3pkg:apk/chainguard/opensearch-2-securitypkg:apk/chainguard/opensearch-2-security-analyticspkg:apk/chainguard/opensearch-2-sqlpkg:apk/chainguard/opensearch-2-store-smbpkg:apk/chainguard/opensearch-2-telemetry-otelpkg:apk/chainguard/opensearch-2-transport-niopkg:apk/chainguard/opensearch-3pkg:apk/wolfi/opensearch-2pkg:apk/wolfi/opensearch-2-alertingpkg:apk/wolfi/opensearch-2-analysis-icupkg:apk/wolfi/opensearch-2-analysis-kuromojipkg:apk/wolfi/opensearch-2-analysis-noripkg:apk/wolfi/opensearch-2-analysis-phoneticpkg:apk/wolfi/opensearch-2-analysis-smartcnpkg:apk/wolfi/opensearch-2-analysis-stempelpkg:apk/wolfi/opensearch-2-analysis-ukrainianpkg:apk/wolfi/opensearch-2-anomaly-detectionpkg:apk/wolfi/opensearch-2-asynchronous-searchpkg:apk/wolfi/opensearch-2-cross-cluster-replicationpkg:apk/wolfi/opensearch-2-crypto-kmspkg:apk/wolfi/opensearch-2-custom-codecspkg:apk/wolfi/opensearch-2-discovery-azure-classicpkg:apk/wolfi/opensearch-2-discovery-ec2pkg:apk/wolfi/opensearch-2-discovery-gcepkg:apk/wolfi/opensearch-2-geospatialpkg:apk/wolfi/opensearch-2-identity-shiropkg:apk/wolfi/opensearch-2-index-managementpkg:apk/wolfi/opensearch-2-ingest-attachmentpkg:apk/wolfi/opensearch-2-job-schedulerpkg:apk/wolfi/opensearch-2-k-nnpkg:apk/wolfi/opensearch-2-mapper-annotated-textpkg:apk/wolfi/opensearch-2-mapper-murmur3pkg:apk/wolfi/opensearch-2-mapper-sizepkg:apk/wolfi/opensearch-2-ml-commonspkg:apk/wolfi/opensearch-2-neural-searchpkg:apk/wolfi/opensearch-2-notificationspkg:apk/wolfi/opensearch-2-observabilitypkg:apk/wolfi/opensearch-2-performance-analyzerpkg:apk/wolfi/opensearch-2-reportingpkg:apk/wolfi/opensearch-2-repository-azurepkg:apk/wolfi/opensearch-2-repository-gcspkg:apk/wolfi/opensearch-2-repository-s3pkg:apk/wolfi/opensearch-2-securitypkg:apk/wolfi/opensearch-2-security-analyticspkg:apk/wolfi/opensearch-2-sqlpkg:apk/wolfi/opensearch-2-store-smbpkg:apk/wolfi/opensearch-2-telemetry-otelpkg:apk/wolfi/opensearch-2-transport-niopkg:apk/wolfi/opensearch-3pkg:maven/org.apache.tika/tika-parser-pdf-modulepkg:maven/org.apache.tika/tika-parsers
< 8.19.2-r1+ 112 more
- (no CPE)range: < 8.19.2-r1
- (no CPE)range: < 8.17.10-r1
- (no CPE)range: < 8.17.10-r1
- (no CPE)range: < 8.17.10-r1
- (no CPE)range: < 8.19.2-r1
- (no CPE)range: < 8.19.2-r1
- (no CPE)range: < 8.19.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 8.19.2-r1
- (no CPE)range: < 8.19.2-r3
- (no CPE)range: < 8.19.2-r3
- (no CPE)range: < 8.19.2-r3
- (no CPE)range: < 8.19.2-r3
- (no CPE)range: < 8.19.2-r3
- (no CPE)range: < 0
- (no CPE)range: < 9.0.8-r0
- (no CPE)range: < 9.0.8-r0
- (no CPE)range: < 9.0.8-r0
- (no CPE)range: < 9.1.2-r12
- (no CPE)range: < 9.1.2-r12
- (no CPE)range: < 9.1.2-r12
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 3.3.2-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 2.19.4-r0
- (no CPE)range: < 3.3.2-r0
- (no CPE)range: >= 1.13, < 3.2.2
- (no CPE)range: >= 1.13, < 2.0.0-ALPHA
- Apache Software Foundation/Apache Tika PDF parser modulev5Range: 1.13
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-p72g-pv48-7w9xghsaADVISORY
- lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1wghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-54988ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/20/2ghsaWEB
- www.openwall.com/lists/oss-security/2025/08/20/3ghsaWEB
- archive.apache.org/dist/tika/3.2.2/CHANGES-3.2.2.txtghsaWEB
- github.com/apache/tika/commit/2b52257304f4d3cde2b8463657380bdb936d9ef2ghsaWEB
- github.com/apache/tika/pull/2291ghsaWEB
- issues.apache.org/jira/browse/TIKA-4459ghsaWEB
- lists.apache.org/thread/stn9oh7rfn9yv76n1srxr9w56oy04p72ghsaWEB
- lists.debian.org/debian-lts-announce/2025/10/msg00030.htmlghsaWEB
News mentions
0No linked articles in our index yet.