Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
嗯，用户让我帮忙总结一篇文章，控制在一百个字以内，而且不需要特定的开头。首先，我需要仔细阅读文章内容，抓住关键点。文章主要讲的是Apache Tika的一个严重安全漏洞，CVE-2025-66516，CVSS评分10.0，属于最高危级别。这个漏洞允许攻击者通过恶意的XFA文件在PDF中进行XXE注入攻击。影响的模块包括tika-core、tika-pdf-module和tika-parsers的一些版本。另外，文章提到这个漏洞与另一个CVE-2025-54988有关，但这次扩大了影响范围。修复版本已经发布，建议用户尽快升级以避免风险。现在，我需要把这些信息浓缩到100字以内。重点包括：漏洞名称、CVSS评分、攻击方式、受影响模块及修复版本。同时要简洁明了，不使用任何开头语。可能的结构是：Apache Tika发现严重漏洞（CVE-2025-66516），CVSS 10.0分，XXE注入攻击通过XFA文件PDF。影响多个模块版本，已修复建议升级。 </think> Apache Tika发现严重安全漏洞（CVE-2025-66516），CVSS评分为10.0分。该漏洞允许攻击者通过恶意XFA文件在PDF中进行XML外部实体（XXE）注入攻击。受影响模块包括tika-core、tika-pdf-module和tika-parsers的特定版本。建议用户尽快升级至修复版本以缓解风险。 2025-12-5 16:23:0 Author: thehackernews.com(查看原文) 阅读量:4 收藏

Application Security / Vulnerability

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability.

It affects the following Maven packages -

org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

CVE-2025-66516 is assessed to be the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework that was patched by the project maintainers in August 2025. The new CVE, the Apache Tika team said, expands the scope of affected packages in two ways.

"First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core," the team said. "Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable."

"Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module."

In light of the criticality of the vulnerability, users are advised to apply the updates as soon as possible to mitigate potential threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
如有侵权请联系:admin#unsafe.sh