dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

info@thehackernews.com (The Hacker News)
December 5, 2025
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. “Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an
Total
0
Shares
0
0
0
[[{“value”:”

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

“Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,” according to an advisory for the vulnerability.

Cybersecurity

It affects the following Maven packages –

  • org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

CVE-2025-66516 is assessed to be the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework that was patched by the project maintainers in August 2025. The new CVE, the Apache Tika team said, expands the scope of affected packages in two ways.

“First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” the team said. “Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.”

“Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”

In light of the criticality of the vulnerability, users are advised to apply the updates as soon as possible to mitigate potential threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability

December 5, 2025
Next Post

Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say

December 5, 2025
Related Posts
3 min

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the
info@thehackernews.com (The Hacker News)
December 31, 2025
Read More
3 min

Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web
info@thehackernews.com (The Hacker News)
October 8, 2025
Read More