Full Report
PLUS: New kind of DDOS from the Americas; Predator still hunting spyware targets; NIST issues IoT advice; And more! Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit.…
Analysis Summary
# Vulnerability: Critical RCE/XXE Flaw in Apache Tika (Related to Previous Flaw)
## CVE Details
- CVE ID: CVE-2025-66516
- CVSS Score: 10.0 (Critical)
- CWE: XML External Entity (XXE) Injection (Inferred based on context of related CVE)
## Affected Systems
- Products: Apache Tika (specifically components handling PDF parsing)
- Versions: All 1.x releases (if only `tika-parser-pdf-module` was upgraded but not `tika-core`), and potentially all versions affected by the underlying issue in `tika-core`.
- Configurations: Systems where users upgraded only `tika-parser-pdf-module` (in 1.x releases) without upgrading `tika-core` to version 3.2.2 or later.
## Vulnerability Description
This critical vulnerability is related to the previous CVE-2025-54988 (an 8.4 rated XXE flaw) found in Tika's PDF processing capability (`tika-parser-pdf-module`). The underlying fix for the XXE injection vulnerability was implemented in the `tika-core` component. If users updated their dependency for the PDF parsing module but failed to update the required version of `tika-core` (specifically to version >= 3.2.2), they remained vulnerable to the critical XXE injection flaw via a crafted XFA file within a PDF.
## Exploitation
- Status: Advisory issued, suggesting a high risk following remediation confusion. (No explicit mention of exploitation in the wild for this specific CVE, but the related flaw confirms exploitability.)
- Complexity: Low to Medium (If the vulnerability is confirmed to be an XXE, it often allows for remote code execution or sensitive file disclosure/SSRF).
- Attack Vector: Network (Via uploaded/processed file)
## Impact
- Confidentiality: High (Potential for file disclosure, SSRF)
- Integrity: High (Potential for code execution or data tampering if combined with other conditions)
- Availability: High (Potential for denial of service via resource exhaustion or remote execution)
## Remediation
### Patches
- Users must upgrade `tika-core` to version **>= 3.2.2**.
- Users should ensure all relevant Tika modules, especially `tika-parsers`, are updated to versions that correctly incorporate the patched `tika-core`.
### Workarounds
- Strictly limit processing of untrusted file formats, especially PDFs, if immediate patching is not possible.
- Ensure all Tika components (`tika-core` dependency) are updated in concert.
## Detection
- Indicators of Compromise: Unusually high internal network traffic originating from the Tika processing service, or unexpected file system access/outbound connections if RCE or SSRF is achieved.
- Detection methods and tools: Monitoring for unusual external requests originating from systems running Apache Tika instances processing untrusted PDFs. Standard XML parsing library configuration hardening checks may flag outdated configurations.
## References
- Vendor Advisories: Apache Foundation Announcement (Last Friday relative to the publication date).
- Relevant links - defanged:
- hXXps://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
- hXXps://www.cve.org/CVERecord?id=CVE-2025-66516
- hXXps://www.cve.org/CVERecord?id=CVE-2025-54988