Apache Tika Faces Critical Code Injection Threat Patch Now

A serious vulnerability has been discovered in Apache Tika, and it's something you need to address ASAP. We're talking about a flaw that could allow attackers to pull off an XML external entity (XXE) injection attack.

This vulnerability, labeled CVE-2025-66516, has been given a CVSS score of 10.0. That's as bad as it gets, meaning it's critically severe.

According to the official advisory, this "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF." In other words, a specially crafted PDF could let someone sneak in and mess with your system.

Here's a breakdown of the affected Maven packages:

• org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
• org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
• org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

So, what exactly is XXE injection? Simply put, it's a web security vulnerability that lets attackers mess with how an application handles XML data. This could allow them to access files on the server, and in some cases, even run code remotely.

Interestingly, CVE-2025-66516 is considered the same as CVE-2025-54988, another XXE flaw that was patched back in August 2025. The Apache Tika team says this new CVE expands the scope of affected packages in a couple of important ways.

First, even if you updated the tika-parser-pdf-module after the first patch, you'd still be vulnerable if you didn't update tika-core to version 3.2.2 or later.

Second, the original report didn't mention that in the 1.x versions of Tika, the PDFParser was located in the org.apache.tika:tika-parsers module.

The bottom line? This is a serious issue. Update your Apache Tika installations as soon as you can to protect yourself from potential attacks.