Bug#1121954: tika: CVE-2025-66516
Salvatore Bonaccorso
carnil at debian.org
Fri Dec 5 07:25:22 GMT 2025
Source: tika
Version: 1.22-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for tika.
CVE-2025-66516[0]:
| Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module
| (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all
| platforms allows an attacker to carry out XML External Entity
| injection via a crafted XFA file inside of a PDF. This CVE covers
| the same vulnerability as in CVE-2025-54988. However, this CVE
| expands the scope of affected packages in two ways. First, while
| the entrypoint for the vulnerability was the tika-parser-pdf-module
| as reported in CVE-2025-54988, the vulnerability and its fix were in
| tika-core. Users who upgraded the tika-parser-pdf-module but did not
| upgrade tika-core to >= 3.2.2 would still be vulnerable. Second,
| the original report failed to mention that in the 1.x Tika releases,
| the PDFParser was in the "org.apache.tika:tika-parsers" module.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66516
https://www.cve.org/CVERecord?id=CVE-2025-66516
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list