CVE-2025-66516

Source
https://cve.org/CVERecord?id=CVE-2025-66516
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66516.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66516
Aliases
Downstream
Published
2025-12-04T16:17:24.980Z
Modified
2026-07-08T07:07:14.932150692Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected
Details

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.13"
                },
                {
                    "last_affected": "3.2.1"
                },
                {
                    "introduced": "1.13"
                },
                {
                    "fixed": "2.0.0"
                },
                {
                    "introduced": "2.0.0"
                },
                {
                    "last_affected": "3.2.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66516.json",
    "cwe_ids": [
        "CWE-611"
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/tika

Affected ranges

Type
GIT
Repo
https://github.com/apache/tika
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.13"
        },
        {
            "fixed": "3.2.2"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66516.json"