XML External Entity Injection Vulnerability in Apache Tika PDF Parsing Module
CVE-2025-54988

9.8CRITICAL

Key Information:

Vendor

Apache
Status
Apache Tika PDF Parser Module
Vendor
CVE Published:
20 August 2025

What is CVE-2025-54988?

CVE-2025-54988 is a critical vulnerability found in the Apache Tika PDF Parsing Module, specifically affecting versions 1.13 through 3.2.1. Apache Tika is widely used for extracting text and metadata from various document formats, making it an essential tool for many applications that process PDF files. This particular vulnerability stems from an XML External Entity (XXE) injection flaw, which allows an attacker to exploit specially crafted XFA files within PDFs. The impact of this vulnerability can be severe, as it enables attackers to read sensitive data or make malicious requests to internal and external resources, thus compromising the integrity and confidentiality of systems relying on this software.

Given that the tika-parser-pdf-module is a dependency in multiple Tika-related packages including tika-parsers-standard-modules and tika-app, organizations utilizing these tools must be vigilant. Failure to address this vulnerability could result in unauthorized data access and exploitation of the application’s functionality, potentially leading to significant security breaches.

Potential impact of CVE-2025-54988

  1. Data Leakage: The vulnerability allows attackers to access sensitive information stored within systems utilizing the affected software. This could result in unauthorized disclosure of personal, financial, or proprietary data, leading to privacy violations and regulatory compliance issues.

  2. Internal Resource Exploitation: Attackers can leverage this vulnerability to perform malicious actions targeting internal resources. This could result in unauthorized interactions with databases or services, increasing the risk of further internal compromises or data manipulation.

  3. Integration Risks: As the affected PDF parsing module is integrated into various applications, the existence of this vulnerability can place multiple interconnected services at risk. Exploitation could facilitate further attacks, leading to widespread impacts across the organization's software ecosystem.

Affected Version(s)

Apache Tika PDF parser module 1.13 <= 3.2.1

References

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Paras Jain and Yakov Shafranovich of Amazon.
.
CVE-2025-54988 : XML External Entity Injection Vulnerability in Apache Tika PDF Parsing Module