XML External Entity Injection in Apache Tika Products
CVE-2025-66516

10CRITICAL

Key Information:

Vendor

Apache
Status
Apache Tika Core
Apache Tika Parsers
Apache Tika PDF Parser Module
Vendor
CVE Published:
4 December 2025

Badges

📈 Score: 566👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-66516?

CVE-2025-66516 is a critical vulnerability affecting Apache Tika, an open-source library designed to detect and extract metadata and structured text content from various documents. Specifically, this vulnerability pertains to an XML External Entity (XXE) injection flaw found in several modules of Apache Tika, including tika-core, tika-pdf-module, and tika-parsers. Exploiting this vulnerability allows an attacker to craft a malicious XFA file embedded in a PDF, which could lead to unauthorized access to sensitive data or the potential execution of arbitrary code on affected systems. The implications for organizations relying on Apache Tika for document processing are significant, as this could facilitate data breaches or compromise the integrity and availability of services that utilize the affected components.

Potential impact of CVE-2025-66516

  1. Data Breach and Exfiltration: An attacker exploiting this vulnerability could gain access to sensitive files and data processed by Apache Tika, leading to significant information leaks and potential violations of data protection regulations.

  2. Remote Code Execution: The vulnerability enables attackers to execute arbitrary code on the server where Apache Tika is running, allowing them to take control of the affected system, modify files, or deploy additional malicious software.

  3. Reputation Damage and Financial Loss: Organizations affected by an exploitation of this vulnerability could suffer reputational harm, loss of customer trust, and financial consequences stemming from data exfiltration, remediation efforts, and potential legal actions.

Affected Version(s)

Apache Tika core 1.13 <= 3.2.1

Apache Tika parsers 1.13 < 2.0.0

Apache Tika PDF parser module 2.0.0 <= 3.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-66516-Writeup-POC
Created by chasingimpact

Blackash-CVE-2025-66516
Created by Ashwesker

CVE-2025-66516-POC
Created by sid6224

News Articles

favicon imageSecurity Affairs

Atlassian fixed maximum severity flaw CVE-2025-66516 in Apache Tika

Atlassian released security updates to address dozens of flaws, including multiple critical-severity vulnerabilities.

2 weeks ago

favicon imageitsecuritynews.info

Critical CVE-2025-66516 Exposes Apache Tika to XXE Attacks Across Core and Parser Modules - IT Security News

  A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow…Read more →

3 weeks ago

favicon imageCyber Press

Over 500 Apache Tika Instances Exposed Online to Critical XXE Attacks

CVE-2025-66516, carrying the maximum CVSS severity score of 10.0, represents a significant threat to organizations deploying vulnerable versions of the widely used document processing framework.

3 weeks ago

References

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyj...
vendor-advisory
https://cve.org/CVERecord?id=CVE-2025-54988
related

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

JSON
.