Atlassian fixed maximum severity flaw CVE-2025-66516 in Apache Tika
December 15, 2025
Atlassian released security updates to address dozens of flaws, including multiple critical-severity vulnerabilities.
Atlassian addressed dozens of vulnerabilities impacting its products, including multiple critical-severity issues. One of the most severe bugs is a maximum-severity XML External Entity (XXE) injection flaw, tracked as CVE-2025-66516 (CVSS score of 10/10), in Apache Tika.
CVE-2025-66516 carries a maximum CVSS rating of 10.0 because it lets attackers trigger an XXE injection in Apache Tika’s core, PDF, and parser modules. An attacker can embed a malicious XFA file inside a PDF and trick Tika into processing external XML entities, opening a path to sensitive internal resources.
Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from virtually any type of file. Tika is widely used in systems like search indexes, document ingestion pipelines (e.g., Apache Solr, Elasticsearch), compliance tools, and content analysis platforms.
“Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988.” reads the advisory. “However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”
XXE injection (XML External Entity injection) is a type of security vulnerability that occurs when an application parses XML input insecurely and allows attackers to load external entities, special XML features that reference files or URLs outside the document.
The vulnerability affects the following versions:
- Apache Tika core (org.apache.tika:tika-core) 1.13 through 3.2.1
- Apache Tika parsers (org.apache.tika:tika-parsers) 1.13 before 2.0.0
- Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module) 2.0.0 through 3.2.1
According to the advisory, the new CVE describes the same flaw as CVE-2025-54988 but clarifies that the issue is broader. Although it was initially linked to the PDF parser module, the root vulnerability and its fix are actually in tika-core, meaning anyone who updated only the PDF module without upgrading tika-core to version 3.2.2 or later remains exposed. It also notes that older Tika 1.x releases include PDFParser inside the tika-parsers module, expanding the set of affected packages beyond what the first advisory stated.
“This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.” “Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”
The list of critical flaws addressed by Atlassian this month includes prototype pollution bugs in Confluence, Jira, and Jira Service Management, plus dozens of high-severity DoS, XXE, SSRF, file inclusion, and RCE issues.
One of these issues is a Prototype Pollution zrender Dependency in Jira Software Data Center and Server, tracked as CVE-2021-39227 (CVSS score of 9.8).
“ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1.” reads the advisory. “One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.”
The vendor also fixed another prototype pollution vulnerability, tracked as CVE-2022-37601, in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This flaw affects all versions prior to 1.4.1 and 2.0.3.
The list of vulnerabilities addressed this month is reported in the December 2025 security advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Apache Tika)