dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

info@thehackernews.com (The Hacker News)
December 5, 2025
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. “Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an
Total
0
Shares
0
0
0
[[{“value”:”

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

“Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,” according to an advisory for the vulnerability.

Cybersecurity

It affects the following Maven packages –

  • org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

CVE-2025-66516 is assessed to be the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework that was patched by the project maintainers in August 2025. The new CVE, the Apache Tika team said, expands the scope of affected packages in two ways.

“First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core,” the team said. “Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.”

“Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module.”

In light of the criticality of the vulnerability, users are advised to apply the updates as soon as possible to mitigate potential threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability

December 5, 2025
Next Post

Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say

December 5, 2025
Related Posts
17 min

⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More

Last week’s cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not
info@thehackernews.com (The Hacker News)
December 29, 2025
Read More
2 min

New React RSC Vulnerabilities Enable DoS and Source Code Exposure

The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
info@thehackernews.com (The Hacker News)
December 12, 2025
Read More
1 min

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC). It affects the following
info@thehackernews.com (The Hacker News)
December 17, 2025
Read More