The bug allows attackers to carry out XML External Entity (XXE) injection attacks via crafted XFA files inside PDF files.
December 8, 2025 By Ionut Arghire
A critical-severity vulnerability in the Apache Tika open source analysis toolkit could allow attackers to perform XML External Entity (XXE) injection attacks.
Apache Tika functions as a universal parser capable of extracting information from virtually all types of files, making it a core part of indexing and analysis tools.
The critical issue, tracked as CVE-2025-66516 (CVSS score of 10/10), impacts the tika-core, tika-pdf-module, and tika-parsers modules of Apache Tika.
Attackers can exploit the flaw via crafted XFA files placed inside PDF files, on all platforms.
Successful exploitation of XXE injection weaknesses could typically lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
Thus, the vulnerability poses a major risk, given the essential role Apache Tika has within search engines, content management systems, and data analysis tools.
CVE-2025-66516, VP of Apache Tika Tim Allison explains in an advisory, expands the scope of CVE-2025-54988 (CVSS score of 8.4), which was publicly disclosed in August.
The original vulnerability, Allison notes, impacts tika-core, but the entry point was the tika-parser-pdf-module package, thus requiring that both packages be updated to fully resolve the bug.
