A critical security vulnerability in the Apache Tika framework has been expanded to affect multiple modules, increasing the potential attack surface. While no active exploits are reported, timely updates and configuration adjustments are recommended to mitigate risks. #ApacheTika #CVEs2025-54988 #CVEs2025-66516
Keypoints
- The vulnerability initially identified as CVE-2025-54988 affected the Tika PDF parser module.
- The scope has been expanded to include tika-core and tika-parsers in a new advisory with CVE-2025-66516.
- The flaw allows malicious PDFs to enable XXE injection and data exfiltration without detection.
- Users are advised to update Tika components to version 3.2.2 or later to patch the vulnerability.
- Disabling XML parsing is a recommended mitigation for environments where updates are insufficient or unclear.
Read More: https://thecyberexpress.com/apache-tika-critical-cve/