A critical security vulnerability in Apache Tika has been discovered that allows attackers to compromise systems by uploading specially crafted PDF files. Organizations worldwide are urged to patch immediately.
Apache Tika is a popular open-source toolkit used by thousands of organizations to extract text and metadata from documents, including PDFs, Word files, and images.
Apache researchers have identified a critical flaw that attackers can exploit by embedding malicious code inside PDF files.
Apache Tika Core Vulnerability
The vulnerability is caused by an XML External Entity (XXE) injection flaw. Attackers create PDF documents containing crafted XFA (XML Forms Architecture) files that trigger the vulnerability when Tika processes them.
This allows attackers to execute arbitrary code, steal sensitive information, or gain unauthorized access to systems.
The vulnerability affects three Apache Tika components across all operating systems:
| Field | Value |
|---|---|
| CVE ID | CVE-2025-66516 |
| CVSS Score | 9.8 (Critical) |
| Vulnerability Type | XML External Entity (XXE) Injection |
| Attack Vector | Malicious XFA files embedded in PDF documents |
| Affected Platforms | All (Windows, Linux, macOS) |
Tika-core: Versions 1.13 through 3.2.1 are vulnerable. This is the core library containing the actual flaw.
