—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

XML External Entity (XXE) vulnerability in Apache Tika PDF parser module 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Apache Tika PDF parser module Versions 1.13 through 3.2.1

Overview

A vulnerability has been reported in Apache Tika’s PDF parser module that may allow an attacker to access sensitive data or trigger Server-Side Request Forgery (SSRF), enabling unauthorised requests to internal services or third-party systems.

Target Audience:

All organisations and individuals using Apache Tika.

Risk Assessment:

High risk of data exposure, Server-Side Request Forgery.

Impact Assessment:

Compromise of confidentiality and security of internal systems.

Description

Apache Tika is a content analysis toolkit designed to detect, parse, and extract text and metadata from a wide range of file formats for indexing, search, and data processing applications.

A critical vulnerability exists in the PDF parser module due to inadequate restrictions on XML External Entity (XXE) references. An attacker could exploit this vulnerability by injecting a crafted XFA (XML Forms Architecture) file embedded within a PDF.

Successful exploitation of this vulnerability could allow the attacker to access sensitive data or trigger Server-Side Request Forgery (SSRF), issuing unauthorized requests to internal services or third-party systems.

Solution

Upgrade to Apache Tika 3.2.2 or later

Vendor Information

Apache Tika

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w

References

Apache Tika

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w

CVE Name

CVE-2025-54988

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmivClAACgkQ3jCgcSdc

ys/vihAAiKZ/l35sUMClW0qxe3LY6hTPhCU1C7Ql2OYDGfOBi/sI7Eej/VNV1E2m

8DCNJKCSj5fU3u/MerzR5a39jfc3Wet/QcSTsNH409ciNYSa7HpI9r+lg6q8Ghpi

phxAae7GvJhOZHbwNJ/ceufvFWfOxxYiY2BZ612CrpiwnyBbbfgRm96sH4MaP1Fh

7XZajMuT/Tn2Wc/Hp24YA9f+H4FOEwq4JMnFfmOOElmzkpGyoWS4pBpBfyDhfMA3

rCgY+1ftLmtVfiz1UV/wRB8FoiZC55BEpxT+KfmmGphjkrF9OWgLsn/vyifzHbGW

dIh1lUnbah42niNhZG8xQOGgiipZwWuqCC+AU3iTAabk8qtU0BAZv42NTtb4O1dx

UvqWh7Qsyh74QKMRZ2N5AkW8KnxU2NJeCksKhM+WCQzhU7UPKkz/ixu4k+V/Ukth

fMhUeD7+AmHfHzNqesqyJNkI2Q1KQZkdOA8bTyeYxtt4D6nMZSdvJcUElMeoitSR

OdFq08Ym1B4FY80gq2/asSMgjb6OTVFZeUeQIh53g1vlfsCmikeKCcTpafvw65Xo

ESGx7Q/Eaq6z2JZbkjywTxCB+TjWg2fv/c5WBeasu2GULiGG2dlLjPRx0du/Za2X

MM1tHqARniSMZrQqN+fHWSnyLfihmMQcvDg1yMXSpKhcxLFFtE4=

=joFe

—–END PGP SIGNATURE—–