CVE-2025-54988

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-54988
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w Mailing List Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
History

25 Aug 2025, 14:24

Type Values Removed Values Added
CPE cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
First Time Apache tika
Apache
References () https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w - () https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w - Mailing List, Issue Tracking, Vendor Advisory

21 Aug 2025, 15:15

Type Values Removed Values Added
Summary
  • (es) El error XXE crítico en Apache Tika (tika-parser-pdf-module), presente en Apache Tika desde la versión 1.13 hasta la 3.2.1 (incluida), en todas las plataformas, permite a un atacante inyectar una entidad externa XML mediante un archivo XFA manipulado dentro de un PDF. Un atacante podría leer datos confidenciales o activar solicitudes maliciosas a recursos internos o servidores de terceros. Tenga en cuenta que el módulo tika-parser-pdf-module se utiliza como dependencia en varios paquetes de Tika, incluyendo al menos: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc y tika-server-standard. Se recomienda actualizar a la versión 3.2.2, que soluciona este problema.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

20 Aug 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-20 20:15

Updated : 2025-08-25 14:24

NVD link : CVE-2025-54988

Mitre link : CVE-2025-54988

CVE.ORG link : CVE-2025-54988

JSON object : View

Products Affected

apache

  • tika
CWE
CWE-611

Improper Restriction of XML External Entity Reference