Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.
This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.
Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module, and tika-parsers are vulnerable to critical XXE injection via crafted XFA files in PDFs.
Vulnerability
A critical XML External Entity (XXE) vulnerability exists in Apache Tika's tika-core module (versions 1.13 through 3.2.1), as well as in the tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules. The flaw allows an attacker to perform XXE injection by supplying a specially crafted XFA (XML Forms Architecture) file embedded within a PDF document [1][2]. While the entry point for exploitation is the PDF parser, the root cause resides in tika-core, meaning that merely updating the PDF parser module without also upgrading tika-core to version 3.2.2 or later leaves systems exposed [2].
Exploitation
An attacker can exploit this vulnerability by delivering a malicious PDF file containing a crafted XFA XML form to a target system that uses Apache Tika for document parsing. No authentication is required beyond the ability to submit a file for processing; the attack can be performed over a network. The vulnerability exists across all platforms, and exploitation requires no special privileges beyond file upload access [1][2].
Impact
Successful exploitation could allow an attacker to read arbitrary files on the server, conduct server-side request forgery (SSRF), or cause denial of service by accessing internal resources or external entities via the XML parser. Since the vulnerability is rated as critical, the potential for data exfiltration or system compromise is significant [2].
Mitigation
Apache Tika has released fixes in tika-core version 3.2.2 and later. Users must ensure that both tika-core and the PDF parser modules are updated to at least these patched versions. For the 1.x branch, no fix is available as it reached end-of-life status; migration to a supported release (2.x or 3.x) with the latest patches is strongly recommended [1][2]. This CVE expands on CVE-2025-54988 by clarifying the full scope of affected packages and the criticality of upgrading tika-core [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-coreMaven | >= 1.13, < 3.2.2 | 3.2.2 |
org.apache.tika:tika-parsersMaven | >= 1.13, < 2.0.0 | 2.0.0 |
org.apache.tika:tika-parser-pdf-moduleMaven | >= 2.0.0, < 3.2.2 | 3.2.2 |
Affected products
5- Apache Software Foundation/Apache Tika corev5Range: 1.13
- Apache Software Foundation/Apache Tika parsersv5Range: 1.13
- Apache Software Foundation/Apache Tika PDF parser modulev5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f58c-gq56-vjjfghsaADVISORY
- lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9kghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-66516ghsaADVISORY
- cve.org/CVERecordghsarelatedWEB
News mentions
0No linked articles in our index yet.