XML External Entity Injection Vulnerability in Apache Tika PDF Parsing Module
CVE-2025-54988
Key Information:
- Vendor
Apache
- Vendor
- CVE Published:
- 20 August 2025
Badges
What is CVE-2025-54988?
CVE-2025-54988 is a critical vulnerability found in the Apache Tika PDF Parsing Module, specifically affecting versions 1.13 through 3.2.1. Apache Tika is widely used for extracting text and metadata from various document formats, making it an essential tool for many applications that process PDF files. This particular vulnerability stems from an XML External Entity (XXE) injection flaw, which allows an attacker to exploit specially crafted XFA files within PDFs. The impact of this vulnerability can be severe, as it enables attackers to read sensitive data or make malicious requests to internal and external resources, thus compromising the integrity and confidentiality of systems relying on this software.
Given that the tika-parser-pdf-module is a dependency in multiple Tika-related packages including tika-parsers-standard-modules and tika-app, organizations utilizing these tools must be vigilant. Failure to address this vulnerability could result in unauthorized data access and exploitation of the application’s functionality, potentially leading to significant security breaches.
Potential impact of CVE-2025-54988
-
Data Leakage: The vulnerability allows attackers to access sensitive information stored within systems utilizing the affected software. This could result in unauthorized disclosure of personal, financial, or proprietary data, leading to privacy violations and regulatory compliance issues.
-
Internal Resource Exploitation: Attackers can leverage this vulnerability to perform malicious actions targeting internal resources. This could result in unauthorized interactions with databases or services, increasing the risk of further internal compromises or data manipulation.
-
Integration Risks: As the affected PDF parsing module is integrated into various applications, the existence of this vulnerability can place multiple interconnected services at risk. Exploitation could facilitate further attacks, leading to widespread impacts across the organization's software ecosystem.
Affected Version(s)
Apache Tika PDF parser module 1.13 <= 3.2.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Cyber ExpressApache Tika CVE Expands To Critical Multi-Module Flaw
New advisory reveals Apache Tika’s XXE flaw affects multiple modules, requiring urgent updates.
2 weeks ago
Apache Issues Max-Severity Tika CVE After Patch Miss
The Apache Software Foundation's earlier fix for a critical Tika flaw missed the full scope of the vulnerability, prompting an updated advisory and CVE.
2 weeks ago
theregister.comCVE-2025-54988Apache warns of 10.0-rated flaw in Tika metadata toolkit
Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit. Tika detects and extracts metadata from over 1,000 different file formats. Last August, Apache reported...
2 weeks ago
References
CVSS V3.1
Timeline
- 📰
First article discovered by Cyber Press
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved