CVE-2025-66516 Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected

🗓️ 04 Dec 2025 16:17:24Reported by apacheType

Critical XXE in Apache Tika modules enables XML External Entity via XFA in PDFs; upgrade tika-core to 3.2.2.

Reporter	Title	Published	Views	Family All 91
IBM Security Bulletins	Security Bulletin: IBM SPSS Analytic Server is affected by Critical XXE vulnerability in Apache Tika (CVE-2025-66516)	16 Feb 202612:33	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of Apache Tika, IBM Operations Analytics - Log Analysis is affected by XML External Entity (XXE) vulnerability	7 Apr 202617:07	–	ibm
IBM Security Bulletins	Security Bulletin: Critical vulnerability addressed in Cloudera Base on premises 7.1.9 SP1 CHF 14 and Cloudera Runtime 7.3.1.700 SP3 CHF 2	2 Mar 202614:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tika	3 Apr 202616:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Tika Core and Parsers (CVE-2025-54988, CVE-2025-66516, CVE-2025-66516)	17 Apr 202605:25	–	ibm
IBM Security Bulletins	Security Bulletin: Due to the use of Apache Tika, IBM webMethods Integration Server is vulnerable to XML External Entity injection (CVE-2025-66516)	10 Feb 202610:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM i Access Client Solutions is vulnerable to an attacker carrying out an XML External Entity injection via a crafted XFA file inside of a PDF (CVE-2025-66516)	14 Jan 202601:43	–	ibm
GithubExploit	Exploit for CVE-2025-66516	8 Dec 202510:50	–	githubexploit
GithubExploit	Exploit for CVE-2025-66516	7 Dec 202503:16	–	githubexploit
GithubExploit	Exploit for Improper Restriction of XML External Entity Reference in Apache Tika	19 Dec 202507:26	–	githubexploit

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.tika:tika-core",
    "product": "Apache Tika core",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.2.1",
        "status": "affected",
        "version": "1.13",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.tika:tika-parsers",
    "product": "Apache Tika parsers",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "1.13",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.tika:tika-parser-pdf-module",
    "product": "Apache Tika PDF parser module",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.2.1",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
cve	www.cve.org/CVERecord
lists	www.lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

30 Dec 2025 16:12Current

CVSS 3.18.4

EPSS0.02042

CWE-611