A critical vulnerability, tracked as CVE-2025-54988, has been discovered in Apache Tika’s PDF parser module, posing a severe risk to organizations that rely on the widely used document parsing library. The flaw originates from an XML External Entity (XXE) injection weakness in the tika-parser-pdf-module, which allows attackers to exploit improperly handled XFA (XML Forms Architecture) content embedded within PDF files. Security researchers Paras Jain and Yakov Shafranovich of Amazon identified that versions 1.13 through 3.2.1 are affected, making a large number of enterprise environments susceptible to exploitation through maliciously crafted PDF documents.

The attack is enabled by manipulating XFA structures within PDFs, which can trigger external entity resolution and lead to sensitive data exfiltration, internal file access, and server-side request forgery (SSRF). Since XFA technology supports dynamic XML-driven forms in PDFs, its improper processing within Tika provides attackers a pathway to launch targeted attacks with minimal user interaction. By submitting a specially crafted PDF, adversaries can trick the vulnerable parser into leaking local files, mapping internal networks, or sending malicious requests to attacker-controlled infrastructure.

The vulnerability’s impact extends beyond the standalone PDF parser, as several widely used Apache Tika packages including tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard depend on the vulnerable module. This significantly broadens the attack surface across enterprise deployments, particularly in environments where Tika is used for automated document ingestion and processing workflows. Given the potential to compromise internal systems and access sensitive corporate data, security experts have rated this issue critical in severity.

To mitigate the risk, organizations are strongly advised to upgrade immediately to Apache Tika version 3.2.2, which includes the official fix. In addition, administrators should enforce security best practices such as validating PDF uploads, segmenting internal networks to reduce XXE exploitation pathways, and monitoring for suspicious XML parsing activity. Considering Apache Tika’s widespread adoption in enterprise document pipelines, the urgency of this patch cannot be overstated delayed remediation could leave organizations exposed to high-impact data breaches and internal reconnaissance attacks.