Apache Tika XXE Vulnerability

CRITICAL (9.8) No Patch (14 days)
cwe-611apachepdf-parsertikaxml-injectionxxe

Threat Intelligence

⚠️ CRITICAL GAP - Exploits exist but no detection available
EPSS Score: 0.06% chance of exploitation (percentile: 20%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: GitHub PoC

How we test →

What is it?

Apache Tika is a content analysis toolkit used by many applications to extract metadata from files. This vulnerability allows attackers to inject malicious XML code into PDF files, which can lead to arbitrary code execution on the server.

Am I affected?

You're affected if you use Apache Tika tika-core version 1.13-3.2.1 or earlier, tika-pdf-module version 2.0.0-3.2.1, and tika-parsers version 1.13-1.28.5 on all platforms. Check with: find / -name "tika-core*.jar" or grep -r "tika-parser-pdf-module" pom.xml

Note: This vulnerability is similar to CVE-2025-54988, but it affects different modules and versions of Apache Tika.

Affected Packages

maven: org.apache.tika:tika-core

Affected Products

Apache Software Foundation / Tika

How to fix

  1. Upgrade to Apache Tika 3.2.2 or later from the official Apache Software Foundation website.
  2. If immediate upgrade isn't possible:
  3. Set org.apache.tika.parser.pdfParser to false as a JVM flag.
  4. Remove the org.apache.tika.parser.pdfParser class: zip -q -d tika-core-*.jar org/apache/tika/parser/pdf/Parser.class

References