Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

A critical XML External Entity (XXE) injection flaw, CVE-2025-66516, has been disclosed in Apache Tika, rated 10.0 on the CVSS scale. The vulnerability allows attackers to exfiltrate server files or execute remote code via crafted XFA files in PDFs.

Why This Matters

XML parsing in real-world systems often assumes trusted input, but XXE attacks exploit lax entity resolution to bypass this trust. CVE-2025-66516 demonstrates how even well-maintained libraries like Apache Tika can fail to sanitize XML inputs, risking full system compromise. The CVSS 10.0 score reflects the potential for total data exposure or remote code execution, with no mitigations other than patching.

Key Insights

• “CVSS 10.0 vulnerability CVE-2025-66516 affects Apache Tika modules tika-core (1.13–3.2.1), tika-pdf-module (2.0.0–3.2.1), and tika-parsers (1.13–1.28.5)” (The Hacker News, 2025-12-05)
• “Sagas over ACID for e-commerce”: Not applicable here; XXE requires input validation, not distributed transaction models.
• “Apache Tika used by enterprise document processing systems” (implied by widespread adoption of its PDF parsing capabilities)

Practical Applications

• Use Case: Enterprises using Apache Tika for PDF analysis must upgrade to tika-core 3.2.2 or tika-parsers 2.0.0 to prevent XXE attacks.
• Pitfall: Upgrading only tika-parser-pdf-module without tika-core leaves systems vulnerable, as the fix resides in tika-core.

References:

• https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html