GHSA-p72g-pv48-7w9x

Suggest an improvement
Source
https://github.com/advisories/GHSA-p72g-pv48-7w9x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-p72g-pv48-7w9x/GHSA-p72g-pv48-7w9x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p72g-pv48-7w9x
Aliases
Downstream
Related
Published
2025-08-20T21:30:27Z
Modified
2025-08-21T15:48:39.156486Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF
Details

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-611"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "nvd_published_at": "2025-08-20T20:15:33Z",
    "github_reviewed_at": "2025-08-21T14:36:27Z"
}
References

Affected packages

Maven / org.apache.tika:tika-parser-pdf-module

Package

Name
org.apache.tika:tika-parser-pdf-module
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tika/tika-parser-pdf-module

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.13
Fixed
3.2.2

Affected versions

2.*

2.0.0-ALPHA
2.0.0-BETA
2.0.0
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4

3.*

3.0.0-BETA
3.0.0-BETA2
3.0.0
3.1.0
3.2.0
3.2.1