Ethical Hacking News
Apache Tika vulnerability has been disclosed and patched, but other recent updates are also available for different software applications and tools that may be affected by similar vulnerabilities.
CVE-2025-66516 is a critical security flaw in Apache Tika rated 10.0 on the CVSS scoring scale, indicating maximum severity. The vulnerability allows XXE (XML External Entity) injection via a crafted XFA file inside of a PDF, enabling remote code execution. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 or tika-parsers module are still vulnerable. The Apache Tika team has released patches for affected packages, including version 3.2.2 of tika-core, tika-parser-pdf-module and tika-parsers. Other recent updates are available for different software applications and tools that may be affected by similar vulnerabilities.
CVE-2025-66516, a critical security flaw tracked by the CVE (Common Vulnerabilities and Exposures) database, has been disclosed in Apache Tika. This vulnerability is rated 10.0 on the CVSS (Common Vulnerability Scoring System) scoring scale, indicating maximum severity. In this article, we will delve into the details of this critical XXE (XML External Entity) injection attack, its impact on the Apache Tika application, and provide guidance on how to mitigate potential threats.
According to an advisory for the vulnerability, Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. The impact of this vulnerability is that it enables remote code execution, which could be exploited by an attacker to gain unauthorized access to the application server file system.
The Apache Tika team has stated that the new CVE, CVE-2025-66516, expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. This means that users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.
Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. This indicates that users who upgraded the tika-parser-pdf-module but did not upgrade the tika-parsers module would also be affected by this vulnerability.
In light of the criticality of this vulnerability, it is essential for users to apply the updates as soon as possible to mitigate potential threats. The Apache Tika team has released patches for the affected packages, including version 3.2.2 of tika-core, tika-parser-pdf-module and tika-parsers.
The severity of this vulnerability cannot be overstated. XXE injection is a type of web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This can lead to unauthorized access to the application server file system, as well as remote code execution. The fact that CVE-2025-66516 is rated 10.0 on the CVSS scoring scale indicates the maximum severity of this vulnerability.
In addition to the Apache Tika vulnerability, there are other recent updates available for different software applications and tools that may be affected by similar vulnerabilities. These include:
* Critical XXE Bug CVE-2025-54988 (CVSS 8.4) Hits Content Detection and Analysis Framework
* Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update
* MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants
* New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control
In conclusion, the critical XXE flaw in Apache Tika exposed by CVE-2025-66516 is a high-risk vulnerability that could enable remote code execution. It is essential for users to apply the updates as soon as possible to mitigate potential threats.
Apache Tika vulnerability has been disclosed and patched, but other recent updates are also available for different software applications and tools that may be affected by similar vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-XXE-Flaw-in-Apache-Tika-Exposed-A-New-High-Risk-Vulnerability-that-Could-Enable-Remote-Code-Execution-ehn.shtml
https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
https://securityonline.info/the-pdf-trap-critical-vulnerability-cve-2025-66516-cvss-10-0-hits-apache-tika-core/
https://nvd.nist.gov/vuln/detail/CVE-2025-66516
https://www.cvedetails.com/cve/CVE-2025-66516/
https://nvd.nist.gov/vuln/detail/CVE-2025-54988
https://www.cvedetails.com/cve/CVE-2025-54988/
Published: Fri Dec 5 11:11:54 2025 by llama3.2 3B Q4_K_M
