The Apache Software program Basis (ASF) has issued a brand new CVE identifier for a crucial safety flaw in Apache Tika as a result of its authentic vulnerability disclosure didn’t seize the total extent of affected elements and left many customers uncovered regardless of making use of the advocate patch.
The brand new most severity CVE-2025-66516 (CVSS rating: 10) updates CVE-2025-54988, a Vital XML Exterior Entity (XXE) flaw that ASF disclosed in August and described on the time as affecting Apache Tika 1.13 by 3.2.1. The brand new CVE-2025-66516 addresses the identical underlying flaw however consists of an expanded listing of lined modules and clarifies the place precisely the vulnerability resides.
Nonetheless Weak to Apache Tika Flaw
“Customers who upgraded the tika-parser-pdf-module however didn’t improve tika-core to >= 3.2.2 would nonetheless be weak,” ASF mentioned in its description of CVE-2025-66516.
Apache Tika is an open supply content material evaluation instrument that may robotically acknowledge and extract textual content and metadata from PDFs, PowerPoint, Excel, Phrase, and a whole bunch of different file codecs. Use circumstances for the instrument embody search engine indexing, translation, and feeding content material into AI pipelines.
When the ASF disclosed CVE-2025-54988 in August, it characterised the vulnerability as enabling an attacker to “perform XML Exterior Entity injection through a crafted XFA file within a PDF.” The inspiration described the vulnerability as current within the tika-parser-pdf-module and permitting an attacker to learn delicate information, set off denial-of-service circumstances and set up unauthorized connections to in any other case remoted inner and third get together methods. “Word that the tika-parser-pdf-module is used as a dependency in a number of Tika packages together with at the very least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard,” the ASF reminded organizations utilizing the instrument.
The ASF mentioned it expanded the vulnerability’s scope and issued a brand new CVE for 2 crucial causes. First, whereas CVE-2025-54988 recognized the tika-parser-pdf-module because the vulnerability’s entry level and advisable upgrading that element, the precise flaw resides in tika-core, the ASF mentioned. Organizations that upgraded solely the PDF parser module following the preliminary advisory however didn’t replace tika-core to model 3.2.2 or later subsequently stay weak to exploitation, it warned.
Second, the unique advisory neglected that undeniable fact that in legacy 1.x Tika releases, the PDF Parser was situated within the “org.apache.tika:tika-parsers” module moderately than current as a separate element, ASF mentioned. This meant makes use of of older Tika variations had no clear steering on the elements that required patching.
Broader Impression
CVE-2025-66516 impacts each Tika Core and Tika Parsers from variations 1.13 as much as and together with 3.2.1. The vulnerability additionally impacts the Apache Tika PDF Module variations 1.13 earlier than 2.0.0, and a pair of.0.0 by 3.2.1. The ASF has fastened the difficulty in Tika 3.2.2 and later releases. Organizations must improve to Tika Core to three.2.2 or later to guard towards the vulnerability. Updating the PDF module alone is inadequate in line with the ASF.
CVE-2025-66516 is an instance of how deeply embedded libraries like Apache Tika can create hidden dangers throughout total organizations attributable to advanced transitive dependencies, the place one element depends on one other. Vital vulnerabilities in such instruments can usually have a cascading impact throughout a whole group. It is one motive why safety consultants advocate that organizations preserve detailed software program invoice of supplies (SBOM) inventories and implement automated dependency scanning instruments to trace all elements and their interdependencies.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s developments as we speak: learn extra, subscribe to our e-newsletter, and grow to be a part of the NextTech group at NextTech-news.com
