25 matches found
CVE-2025-66516
CVE-2025-66516 is a critical XXE in Apache Tika affecting tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5). The root cause is XML External Entity injection triggered by a crafted XFA file in a PDF, allowing an attacker to access sensitive data or trigger intern...
CVE-2021-33813
CVE-2021-33813 concerns an XXE vulnerability in JDOM’s SAXBuilder up to version 2.0.6, allowing denial-of-service via a crafted HTTP request. Connected advisories confirm the issue affects jdom/jdom2 and list downstream fixes/upgrades in Linux distributions (e.g., Amazon Linux advisories ALAS2-20...
CVE-2018-1335
CVE-2018-1335 affects Apache Tika with tika-server versions 1.7–1.17, where carefully crafted HTTP headers can trigger command injection on the server if exposed to untrusted clients. The underlying issue is an input handling flaw that allows commands to be passed to the server’s command line. Th...
CVE-2022-25169
CVE-2022-25169 concerns Apache Tika’s BPG parser, where crafted inputs may cause excessive memory allocation, potentially leading to a denial of service. Public details consistently identify the vulnerable component as the BPG parser within Tika and specify affected versions as before 1.28.2 and ...
CVE-2022-30126
Apache Tika CVE-2022-30126 is a ReDoS via a regex in StandardsText used by the StandardsExtractingContentHandler. The issue can cause denial of service on crafted files and only affects users running the StandardsExtractingContentHandler (a non-standard handler). A fix is available in Tika versio...
CVE-2021-28657
CVE-2021-28657 affects Apache Tika MP3Parser. A carefully crafted or corrupt MP3 file can trigger an infinite loop in MP3Parser in Tika versions up to 1.25, potentially causing a denial of service (crash). Mitigation shown in sources is to upgrade to Tika 1.26 or later. Multiple connected documen...
CVE-2022-30973
Apache Tika's ReDoS vulnerability (CVE-2022-30973) arises from a regex in StandardsText used by StandardsExtractingContentHandler. Affected: 1.x branch, specifically the 1.28.2 release; impact is denial of service via backtracking on crafted files. The issue is limited to users running the Standa...
CVE-2020-9489
CVE-2020-9489 affects Apache Tika components including OneNoteParser, ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser and ImageParser. The issue involves crafted or corrupt files triggering System.exit, out-of-memory errors, or infinite loops. The public advisories recommend upgrading Apache Tik...
CVE-2020-1950
CVE-2020-1950 affects Apache Tika, specifically the PSDParser. The issue arises when processing crafted or corrupt PSD files, which can lead to excessive memory usage and potential denial of service in Tika versions 1.0–1.23. Connected advisories (USN/Ubuntu and related security notes) confirm th...
CVE-2025-54988
This CVE-2025-54988 vulnerability is an XXE in Apache Tika affecting tika-core/tika-pdf-module/tika-parsers, allowing XML External Entity injection via a crafted XFA PDF. The NVD entry covers Apache Tika 1.13–3.2.1 with a fix in 3.2.2; UAs may read sensitive data or trigger internal requests. Sev...
CVE-2016-6809
Apache Tika prior to 1.14 is vulnerable to remote Java code execution via serialized objects embedded in MATLAB files. The root cause is native deserialization invoked through JMatIO, enabling an attacker to inject and execute code during object deserialization. Public references in the connected...
CVE-2020-1951
CVE-2020-1951 affects Apache Tika PSDParser (PSD parsing) in PSDParser versions 1.0–1.23, where a carefully crafted or corrupt PSD file can cause an infinite loop (Denial of Service). The provided connected documents confirm the affected component and root cause (infinite loop in PSDParser) but d...
CVE-2018-11796
Apache Tika 0.1–1.19 is vulnerable to an entity-expansion denial of service. The root cause is that Xerces2-based SAXParsers reset() after each parse, which removes the user-configured SecurityManager and, per documentation, the entity-expansion limits after the first parse. This means versions f...
CVE-2015-3271
Apache Tika server (tika-server) up to v1.9 is vulnerable when used as a web service with untrusted access: a remote attacker can read arbitrary files via the HTTP fileUrl header, causing information disclosure from the server's filesystem. Root cause is the server fetching content from the URL p...
CVE-2022-33879
CVE-2022-33879 is related to Apache Tika's regex handling in the StandardsExtractingContentHandler. The connected Nessus entries confirm a separate, new regular-expression DoS (ReDoS) vulnerability in a different regex within the same component. The initial fixes for CVE-2022-30126 and CVE-2022-3...
CVE-2016-4434
CVE-2016-4434 (Apache Tika) affects Tika prior to 1.13, where improper initialization of the XML parser/handlers enables XML External Entity (XXE) attacks via OOXML spreadsheets and XMP metadata in PDFs and other formats. The root cause is an XXE vulnerability in XML parsing that can lead to read...
CVE-2018-17197
CVE-2018-17197 affects Apache Tika’s SQLite3Parser, where a carefully crafted or corrupt sqlite file can trigger an infinite loop in versions 1.8–1.19.1. The vulnerability is a denial of service in Tika’s parser, with potential impact on availability. The Connected documents confirm the affected ...
CVE-2018-11761
Apache Tika is affected by CVE-2018-11761: XML parsers before 1.19.x did not limit entity expansion, enabling potential denial-of-service. Public details indicate vulnerability in Tika 0.1–1.18 (and discussion around 1.19) with remediation to upgrade to 1.19.1 or later. Some sources note that dow...
CVE-2018-1339
CVE-2018-1339 affects Apache Tika's ChmParser; a carefully crafted file can trigger an infinite loop in versions prior to 1.18, causing DoS. Remediation: upgrade to Tika 1.18 or later (as indicated by multiple advisories).
CVE-2019-10088
CVE-2019-10088 affects Apache Tika’s RecursiveParserWrapper (versions 1.7–1.21). A crafted zip file can cause memory exhaustion/OOM. A fix is available: upgrade to Tika 1.22 or later (as noted across IBM QRadar Security bulletin entries).
CVE-2019-10094
Apache Tika CVE-2019-10094: A crafted archive that unpacks to itself (a quine) triggers a StackOverflowError in RecursiveParserWrapper for Tika versions 1.7–1.21. Upgrade to 1.22 or later to fix.
CVE-2018-1338
CVE-2018-1338 : Apache Tika is vulnerable to a denial of service via a carefully crafted (or fuzzed) file that can trigger an infinite loop in the BPGParser in Tika versions before 1.18. The provided documents confirm the affected component (BPGParser in Apache Tika), the vulnerability type (infi...
CVE-2018-8017
Apache Tika 1.2–1.18 is vulnerable to a denial-of-service via the IptcAnpaParser. A crafted file can trigger an infinite loop, potentially causing a hang or crash. Affected component: IptcAnpaParser within Tika; attack may be remote/local depending on deployment. CVE-2018-8017 entry shows a base ...
CVE-2018-11762
CVE-2018-11762 affects Apache Tika 0.9–1.18. In the rare case where no extract directory is specified on the command line and an embedded file has an absolute path (e.g., C:/evil.bat), tika-app could overwrite that file. The issue is a path handling/Zip extraction edge case; impact is potential a...
CVE-2019-10093
CVE-2019-10093 affects Apache Tika 1.19–1.21, where parsing carefully crafted 2003ml/2006ml files can exhaust SAXParsers in the pool and cause very long hangs. Impact described as denial of service with availability risk; recommended fix is upgrade to Tika 1.22 or newer. Connected sources also no...