CVE-2025-66516

CRITICAL EPSS 99.6%
Published Dec 4, 20256mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Dec 4, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
99.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-611

Affected Products 1

VendorProductVersionRange
apachetika*≥1.13  –  <3.2.2

References 2

  • cve.org https://cve.org/CVERecord?id=CVE-2025-54988
    Third Party Advisory
  • lists.apache.org https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.