GHSA-f58c-gq56-vjjf

Source

https://github.com/advisories/GHSA-f58c-gq56-vjjf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-f58c-gq56-vjjf/GHSA-f58c-gq56-vjjf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f58c-gq56-vjjf

Aliases

CVE-2025-66516

Downstream

MINI-544p-mwgc-mh5g

MINI-mh68-53jr-53ff

Published

2025-12-04T18:30:54Z

Modified

2025-12-05T03:42:51.706106Z

Severity

10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

Apache Tika has XXE vulnerability

Details

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Database specific

{
    "severity": "CRITICAL",
    "nvd_published_at": "2025-12-04T17:15:57Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "github_reviewed_at": "2025-12-05T02:24:30Z",
    "github_reviewed": true
}

References

Affected packages

Maven / org.apache.tika:tika-core

Package

Name: org.apache.tika:tika-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tika/tika-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13

Fixed

3.2.2

Affected versions

1.*

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.19.1

1.20

1.21

1.22

1.23

1.24

1.24.1

1.25

1.26

1.27

1.28

1.28.1

1.28.2

1.28.3

1.28.4

1.28.5

2.*

2.0.0-ALPHA

2.0.0-BETA

2.0.0

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0-BETA

3.0.0-BETA2

3.0.0

3.1.0

3.2.0

3.2.1

Database specific

last_known_affected_version_range

"<= 3.2.1"

Maven / org.apache.tika:tika-parsers

Package

Name: org.apache.tika:tika-parsers; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tika/tika-parsers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13

Fixed

2.0.0

Affected versions

1.*

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.19.1

1.20

1.21

1.22

1.23

1.24

1.24.1

1.25

1.26

1.27

1.28

1.28.1

1.28.2

1.28.3

1.28.4

1.28.5

2.*

2.0.0-ALPHA

2.0.0-BETA

Maven / org.apache.tika:tika-parser-pdf-module

Package

Name: org.apache.tika:tika-parser-pdf-module; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tika/tika-parser-pdf-module

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

3.2.2

Affected versions

2.*

2.0.0

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0-BETA

3.0.0-BETA2

3.0.0

3.1.0

3.2.0

3.2.1

Database specific

last_known_affected_version_range

"<= 3.2.1"