A critical security vulnerability in Apache Tika has been discovered that allows attackers to compromise systems by uploading specially crafted PDF files. Organizations worldwide are urged to patch immediately.
Apache Tika is a popular open-source toolkit used by thousands of organizations to extract text and metadata from documents, including PDFs, Word files, and images.
Apache researchers have identified a critical flaw that attackers can exploit by embedding malicious code inside PDF files.
Understanding the Threat
The vulnerability is caused by an XML External Entity (XXE) injection flaw. Attackers create PDF documents containing crafted XFA (XML Forms Architecture) files that trigger the vulnerability when Tika processes them.
This allows attackers to execute arbitrary code, steal sensitive information, or gain unauthorized access to systems.
The vulnerability affects three Apache Tika components across all operating systems:
| Field | Value |
|---|---|
| CVE ID | CVE-2025-66516 |
| CVSS Score | 9.8 (Critical) |
| Vulnerability Type | XML External Entity (XXE) Injection |
| Attack Vector | Malicious XFA files embedded in PDF documents |
| Affected Platforms | All (Windows, Linux, macOS) |
Tika-core: Versions 1.13 through 3.2.1 are vulnerable. This is the core library containing the actual flaw.
Tika-parsers: Versions 1.13 before 2.0.0 are affected. This older module contained the PDF parser functionality.
Tika PDF parser module: Versions 2.0.0 through 3.2.1 are vulnerable. This is the newer dedicated PDF component. This vulnerability expands beyond the original CVE-2025-54988 in critical ways.
First, while the vulnerability appeared to be related to the PDF parser module, the actual flaw lies in Tika-core. Organizations that only updated the PDF parser without upgrading Tika-core remain vulnerable to attack.
Second, the original report overlooked that older Tika 1.x releases packaged the PDF parser in the “tika-parsers” module rather than as a separate component.
This means legacy systems could be vulnerable even if users believed they had patched the issue. Immediate action is required: Upgrade Tika-core to version 3.2.2 or later. This single update addresses the vulnerability across all components.
Apache advises organizations using older 1.x versions, contact your software vendor immediately for patched releases. Do not wait for automatic updates.
Temporary mitigation: Restrict PDF file uploads from untrusted external sources until patching is complete.
Organizations that handle sensitive documents, financial records, legal papers, and personal data face an elevated risk from this vulnerability.
Apache Tika maintainers have released fixes, but deployment remains critical. Security teams should prioritize this patch in their vulnerability management processes.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
