XML External Entity Injection in Apache Tika Products
CVE-2025-66516

10CRITICAL

Key Information:

Vendor: Apache
Status: Apache Tika Core; Apache Tika Parsers; Apache Tika PDF Parser Module
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-66516?

Apache Tika is susceptible to an XML External Entity injection through a crafted XFA file within a PDF. This vulnerability affects various modules, including tika-core, tika-pdf-module, and tika-parsers. Users who have only updated the tika-pdf-module may still be exposed if they have not upgraded the tika-core package to version 3.2.2 or higher. This highlights the importance of applying all necessary updates across related modules to mitigate potential exploitation.

Affected Version(s)

Apache Tika core 1.13 <= 3.2.1

Apache Tika parsers 1.13 < 2.0.0

Apache Tika PDF parser module 2.0.0 <= 3.2.1

References

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyj...

vendor-advisory

https://cve.org/CVERecord?id=CVE-2025-54988

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Dec 3, 2025

JSON