Ethical Hacking News
A maximum-severity XXE vulnerability has been discovered in Apache Tika, exposing sensitive internal resources. This critical exploit allows attackers to inject malicious code into the toolkit, compromising its security. Users who rely on Apache Tika are advised to install updates immediately to prevent potential breaches.
A vulnerability in Apache Tika has been discovered, with a CVSS score of 10.0, indicating its high severity. The vulnerability allows attackers to inject malicious XML code, potentially exposing sensitive internal resources. Apache Tika is widely used and targeted by attackers due to its extensive use in various systems. The affected versions include tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5).
Apache Tika, a widely used open-source content analysis toolkit, has been found to be vulnerable to a maximum-severity cross-site scripting (XXE) exploit. This discovery was made by security researcher Pierluigi Paganini and tracked as CVE-2025-66516. The vulnerability is classified with a CVSS score of 10.0, indicating its potential severity.
The XXE vulnerability in Apache Tika allows attackers to inject malicious XML code, potentially leading to sensitive internal resources being exposed. This can be achieved by crafting an XFA file that tricks the Tika PDF parser module into processing external XML entities, thereby allowing for an injection of malicious code. This exploitation could enable attackers to access sensitive internal resources, including files and databases.
Apache Tika is a content analysis toolkit used extensively in various systems, such as search indexes, document ingestion pipelines (e.g., Apache Solr, Elasticsearch), compliance tools, and content analysis platforms. Its widespread use makes it an attractive target for attackers seeking to exploit vulnerabilities.
The vulnerability affects three primary modules of Apache Tika: tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5). This means that any user who uses these versions of the toolkit is at risk.
A more detailed breakdown of the affected versions can be found in the advisory released by Apache Tika, which highlights the impact of CVE-2025-66516 on the entire range of modules, including both x.x and higher releases. The advisory further points out that certain 1.x Tika releases included PDFParser inside the tika-parsers module.
In order to mitigate this risk, users are urged by the project maintainers to install updates for Apache Tika as soon as possible.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-Uncovered-Maximum-Severity-XXE-Flaw-in-Apache-Tika-Exposes-Sensitive-Internal-Resources-ehn.shtml
https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.html
Published: Fri Dec 5 18:48:50 2025 by llama3.2 3B Q4_K_M
