Primary

Context

Apache Tika XXE Vulnerability in Core, PDF Parser Module, and Parsers

Vulnerability

Patched

A critical XML External Entity (XXE) vulnerability has been identified in Apache Tika components: the core module (versions 1.13 prior to 3.2.1), the PDF parser module (2.0.0 prior to 3.2.1), and the parsers module (1.13 prior to 2.0.0). This vulnerability allows attackers to inject malicious XML entities through a crafted XFA file embedded in a PDF, potentially leading to unauthorized access to sensitive data or the ability to send malicious requests to internal or external resources.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which could be used to read sensitive data or send malicious requests to internal systems or external servers.

Remediation

Users are advised to upgrade Apache Tika to version 3.2.2 or later. For those using the PDF parser module, ensure that both the module and the core are updated to the recommended version.

Added: Dec 4, 2025, 5:17 PM

Updated: Dec 4, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.8

exploitability

7.0

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.8

exploitability

7.0

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tika XXE Vulnerability in Core, PDF Parser Module, and Parsers

Vulnerability

Impact

Remediation

Affected Products

Apache Tika

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating