Maven package
org.apache.tika/tika-core
pkg:maven/org.apache.tika/tika-core
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66516 | — | >= 1.13, < 3.2.2 | 3.2.2 | Dec 4, 2025 | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability | ||
| CVE-2022-30973 | — | >= 1.17, < 1.28.3 | 1.28.3 | May 31, 2022 | We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted fi | ||
| CVE-2022-30126 | — | >= 1.17, < 1.28.2 | 1.28.2 | May 16, 2022 | In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, whic | ||
| CVE-2019-10088 | — | >= 1.7, < 1.22 | 1.22 | Aug 2, 2019 | A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later. | ||
| CVE-2019-10094 | — | >= 1.7, < 1.22 | 1.22 | Aug 2, 2019 | A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later. | ||
| CVE-2018-11796 | — | >= 0.1, < 1.19.1 | 1.19.1 | Oct 9, 2018 | In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity e | ||
| CVE-2018-8017 | — | >= 1.2, < 1.19 | 1.19 | Sep 19, 2018 | In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser. | ||
| CVE-2018-11762 | — | >= 0.9, < 1.19 | 1.19 | Sep 19, 2018 | In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. | ||
| CVE-2018-11761 | — | >= 0.1, < 1.19.1 | 1.19.1 | Sep 19, 2018 | In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | ||
| CVE-2018-1338 | — | < 1.18 | 1.18 | Apr 25, 2018 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18. | ||
| CVE-2018-1335 | — | >= 1.7, < 1.18 | 1.18 | Apr 25, 2018 | From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to | ||
| CVE-2016-4434 | Hig | 7.8 | < 1.13 | 1.13 | Sep 30, 2017 | Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a rela | |
| CVE-2016-6809 | Cri | 9.8 | < 1.14 | 1.14 | Apr 6, 2017 | Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. |
- CVE-2025-66516Dec 4, 2025affected >= 1.13, < 3.2.2fixed 3.2.2
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability
- CVE-2022-30973May 31, 2022affected >= 1.17, < 1.28.3fixed 1.28.3
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted fi
- CVE-2022-30126May 16, 2022affected >= 1.17, < 1.28.2fixed 1.28.2
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, whic
- CVE-2019-10088Aug 2, 2019affected >= 1.7, < 1.22fixed 1.22
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
- CVE-2019-10094Aug 2, 2019affected >= 1.7, < 1.22fixed 1.22
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
- CVE-2018-11796Oct 9, 2018affected >= 0.1, < 1.19.1fixed 1.19.1
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity e
- CVE-2018-8017Sep 19, 2018affected >= 1.2, < 1.19fixed 1.19
In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.
- CVE-2018-11762Sep 19, 2018affected >= 0.9, < 1.19fixed 1.19
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
- CVE-2018-11761Sep 19, 2018affected >= 0.1, < 1.19.1fixed 1.19.1
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
- CVE-2018-1338Apr 25, 2018affected < 1.18fixed 1.18
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
- CVE-2018-1335Apr 25, 2018affected >= 1.7, < 1.18fixed 1.18
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to
- affected < 1.13fixed 1.13
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a rela
- affected < 1.14fixed 1.14
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.