A critical security vulnerability has been discovered in Apache Tika, a widely used content analysis toolkit that’s often deployed by law enforcement. The vulnerability known as CVE-2025-66516 is extremely dangerous. It allows for XML External Entity (XXE) injection, which lets attackers control how the application processes XML external data. This issue carries the highest possible severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS). If you use the impacted software, the time to act is now — and urgently.
The vulnerability specifically impacts the org.apache.tika:tika-parsers module and its related components. If you previously upgraded the tika-parser-pdf-module, please upgrade tika-core to at least version 3.2.2 or newer. Failure to do so may expose you to undue exploitation risks.
Details of the Vulnerability
CVE-2025-66516 actually crosses multiple versions of Apache Tika’s core components. In particular, it compromises org.apache.tika:tika-core versions ranging from 1.13 through 3.2.1, as well as org.apache.tika:tika-parser-pdf-module versions from 2.0.0 up to 3.2.1. Furthermore, the org.apache.tika:tika-parsers module versions between 1.13 and just below 2.0.0 are at risk.
The advisory released on the Apache mailing list outlines that “Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.” This figure highlights the seriousness of the threat and the critical need for immediate action.
Recommended Actions for Users
To protect against the dangers posed by this vulnerability, users need to immediately update their Apache Tika installations. The patched versions include org.apache.tika:tika-core version 3.2.2, org.apache.tika:tika-parser-pdf-module version 3.2.2, and org.apache.tika:tika-parsers version 2.0.0. By taking the necessary steps to ensure that all relevant components are updated, developers and users can defend themselves from lethal XXE injection attacks.
The impacts of this vulnerability go well beyond individual users. Organizations that depend on Apache Tika need to put a priority on these updates system-wide. Taking these steps will protect the integrity and sensitive data of operations.
Understanding XXE Injection Attacks
XXE injection is an attack targeting vulnerabilities in XML parsers. Attackers can inject malicious XML content to exploit these weaknesses and access internal files or services, often leading to complete system takeover. The ongoing security weakness in Apache Tika allows new opportunities like these to be potentially exploited, especially via specially crafted PDF files.
First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” clarifies a team member involved in addressing this issue. This serves as a great reminder of the interconnected nature of our software components and how important holistic updates are.
