CVE-2025-66516
Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Description
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
INFO
Published Date :
Dec. 4, 2025, 5:15 p.m.
Last Modified :
Dec. 18, 2025, 2:49 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | f0158376-9dc2-43b6-827c-5f631a4d8d09 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update tika-core to version 3.2.2 or later.
- Update tika-parsers to version 1.28.5 or later.
- Update tika-pdf-module to version 3.2.2 or later.
Public PoC/Exploit Available at Github
CVE-2025-66516 has a 9 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-66516.
| URL | Resource |
|---|---|
| https://cve.org/CVERecord?id=CVE-2025-54988 | Third Party Advisory |
| https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-66516 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-66516
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Java
Creating a vulnerable instance to test against
Dockerfile Batchfile Shell Java
A POC for the CVE-2025-66516 Apache Tika Vulnerability for educational purposes only
Java Python
Apache Tika
HTML Java XSLT Groovy Shell C C++ JavaScript MATLAB SAS
CVE-2025-66516 working exploit, scanner, explanation.
apache exploit tika cve-2025-66516
Python Dockerfile HTML
CVE-2025-66516
Python
None
Python
None
Cringe AF not gonna lie
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-66516 vulnerability anywhere in the article.
-
The Hacker News
CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks
Dec 13, 2025Ravie LakshmananNetwork Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink A ... Read more
-
The Hacker News
New React RSC Vulnerabilities Enable DoS and Source Code Exposure
Dec 12, 2025Ravie LakshmananSoftware Security / Vulnerability The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could res ... Read more
-
The Hacker News
CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog
Dec 12, 2025Ravie LakshmananVulnerability / Server Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer ... Read more
-
The Hacker News
ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories
This week's cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and gov ... Read more
-
The Hacker News
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
Dec 11, 2025Ravie LakshmananVulnerability / Cloud Security A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances acces ... Read more
-
The Hacker News
Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution
Dec 11, 2025Ravie LakshmananVulnerability / Encryption Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-code ... Read more
-
The Hacker News
React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of ... Read more
-
The Hacker News
.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL
Dec 10, 2025Ravie LakshmananEnterprise Security / Web Services New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications ... Read more
-
The Hacker News
Three PCIe Encryption Weaknesses Expose PCIe 5.0+ Systems to Faulty Data Handling
Dec 10, 2025Ravie LakshmananHardware Security / Vulnerability Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption ... Read more
-
The Hacker News
Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
Dec 10, 2025Ravie LakshmananVulnerability / Malware The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compressi ... Read more
-
The Hacker News
Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws
Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution. The Fortinet vul ... Read more
-
The Hacker News
North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undoc ... Read more
-
CybersecurityNews
500+ Apache Tika Toolkit Instances Vulnerable to Critical XXE Attack Exposed Online
Over 565 internet-exposed Apache Tika Server instances are vulnerable to a critical XML External Entity (XXE) injection flaw. That could enable attackers to steal sensitive data, launch denial-of-serv ... Read more
-
The Cyber Express
Apache Tika Vulnerability Widens Across Multiple Modules, Severity Now 10.0
A security issue disclosed in the Apache Tika document-processing framework has proved broader and more serious than first believed. The project’s maintainers have issued a new advisory revealing that ... Read more
-
TheCyberThrone
CISA Adds Array Networks and D-Link Vulnerabilities to KEV Catalog
December 9, 2025CISA has recently added critical vulnerabilities from Array Networks ArrayOS AG VPN devices and D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, signaling active re ... Read more
-
TheCyberThrone
Google Chrome 143 Stable Channel Released
December 8, 2025Google Chrome 143 patches four high-severity vulnerabilities (CVE-2025-13630 to CVE-2025-13633), all enabling remote code execution, privilege escalation, or sandbox escapes when chain ... Read more
-
The Hacker News
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025- ... Read more
-
The Register
Apache warns of 10.0-rated flaw in Tika metadata ingestion tool
Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit. Tika detects and extracts metadata from over 1,000 different file formats. Last August, Apache reporte ... Read more
-
TheCyberThrone
React2Shell: The Silent Server Takeover – Exploit Chains and Threat Actor Onslaught
In late 2025, React Server Components (RSC) electrified the web dev world, powering Next.js apps with seamless server-client fusion across Vercel, Netlify, and AWS Lambda. Millions of sites lit up wit ... Read more
-
TheCyberThrone
Apache Tika CVE-2025-66516 Scores Perfect 10
December 6, 2025CVE-2025-66516, a critical XXE vulnerability in Apache Tika’s core with CVSS 10.0, exposes organizations to data exfiltration and SSRF through malicious PDF uploads, affecting document ... Read more
The following table lists the changes that have been made to the
CVE-2025-66516 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 18, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:* versions from (including) 1.13 up to (excluding) 3.2.2 Added Reference Type Apache Software Foundation: https://cve.org/CVERecord?id=CVE-2025-54988 Types: Third Party Advisory Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 04, 2025
Action Type Old Value New Value Added Description Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-611 Added Reference https://cve.org/CVERecord?id=CVE-2025-54988 Added Reference https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k