Request a Demo
Rewterz
Critical RSC Flaw in React and Next.js Enables Code Execution
December 8, 2025
Rewterz
Zoom Rooms Flaws Allow Privilege Escalation and Data Leaks
December 9, 2025

Critical Apache Tika Core Exploited via Malicious PDF Uploads

Severity

High

Analysis Summary

A critical security flaw has been discovered in Apache Tika, a widely used open-source toolkit for extracting text and metadata from documents such as PDFs, Word files, and images. The vulnerability, identified as CVE-2025-66516 with a CVSS score of (Critical), is an XML External Entity (XXE) injection that can be exploited by attackers embedding malicious XFA (XML Forms Architecture) content inside PDF files. When processed by Tika, these crafted documents can allow attackers to execute arbitrary code, steal sensitive information, or gain unauthorized system access, putting organizations worldwide at significant risk.

The flaw primarily resides in Tika-core, though it also affects multiple related components. Specifically, Tika-core versions 1.13 through 3.2.1Tika-parsers versions 1.13 to pre-2.0.0, and Tika PDF parser module versions 2.0.0 through 3.2.1 are vulnerable. This means that simply updating the PDF parser without upgrading Tika-core leaves systems exposed. Additionally, legacy systems using older 1.x releases may remain at risk, as the PDF parser was bundled within the “tika-parsers” module rather than as a separate component, highlighting the importance of fully understanding affected versions before applying fixes.

Immediate remediation requires upgrading Tika-core to version 3.2.2 or later, which addresses the vulnerability across all components. Organizations using older 1.x releases are advised to contact their software vendors for patched versions. Until updates are applied, a temporary mitigation includes restricting PDF uploads from untrusted sources, particularly for systems handling sensitive data such as financial records, legal documents, and personal information. Security teams should prioritize this patch within their vulnerability management processes to prevent exploitation.

This vulnerability emphasizes the critical importance of thorough patch management and awareness of component interdependencies in widely used software. Despite Apache releasing fixes, the risk remains high due to the ease of exploitation through crafted PDFs and the widespread use of Tika across platforms including Windows, Linux, and macOS. Organizations must act swiftly to update all affected components, implement temporary mitigations, and review document processing workflows to minimize potential exposure.

Impact

  • Gain Access
  • Information Disclosure
  • Code Execution

Indicators of Compromise

CVE

  • CVE-2025-66516

Remediation

  • Upgrade Tika-core to version 3.2.2 or later immediately, as this patch addresses the vulnerability across all components.
  • Update related components including Tika-parsers and Tika PDF parser module to their latest patched versions to ensure full coverage.
  • Restrict PDF uploads from untrusted or external sources until the patch is applied.
  • Verify legacy systems running Tika 1.x to ensure they are patched, as older releases may still be vulnerable even if the PDF parser was updated.
  • Review document processing workflows to minimize exposure to malicious files and implement additional scanning for uploaded PDFs.
  • Monitor for suspicious activity on systems using Tika, especially abnormal file processing, code execution attempts, or data exfiltration.
  • Communicate with software vendors if using third-party applications that include Tika to ensure they have applied the necessary updates.
  • Prioritize patch management in vulnerability management processes to prevent exploitation of similar XML External Entity (XXE) vulnerabilities in the future.