Home

CVE-2025-66516

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as inCVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the org.apache.tika:tika-parsers module.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.458

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.60Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.61Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.62Windows
Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.5.0Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1Windows
Vulnerabilities CVE-2025-66516 are affected in Oracle Communications Order and Service Management 8.0.0Windows
Vulnerabilities CVE-2025-66516 are fixed in Apache-tika-core 3.2.2Windows
Vulnerabilities CVE-2025-66516 are fixed in Apache-tika-parsers 2.0.0Windows
Vulnerabilities CVE-2025-54988,CVE-2025-66516 are fixed in Apache - tika-parser-pdf-module 3.2.2Windows
Vulnerabilities CVE-2025-66516,CVE-2025-68161 are affected in Oracle Communications Order and Service Management 8.0.0Windows
Vulnerabilities CVE-2025-66516 are fixed in Apache-tika-core for Linux 3.2.2Linux
Vulnerabilities CVE-2025-66516 are fixed in Apache-tika-parsers for Linux 2.0.0Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234