{"id":"CVE-2025-66516","details":"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module.","aliases":["GHSA-f58c-gq56-vjjf"],"modified":"2026-04-10T05:34:24.779645Z","published":"2025-12-04T17:15:57.120Z","references":[{"type":"ADVISORY","url":"https://cve.org/CVERecord?id=CVE-2025-54988"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tika","events":[{"introduced":"386b68b5ae87beafacfb63f33e0a9888dedb9c30"},{"fixed":"c5c9d00e475d48226dfe3f80a2891bfa5426043a"}],"database_specific":{"versions":[{"introduced":"1.13"},{"fixed":"3.2.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66516.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}