Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAC1dCwVM3rxqS=KQf3=kWScQE5=NQ5ZvRH=srcF72JZROMb4hA@mail.gmail.com>
Date: Wed, 20 Aug 2025 15:45:33 -0400
From: Tim Allison <tallison@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in
 PDFParser's handling of XFA

Severity: critical

Affected versions:

- Apache Tika PDF parser module
(org.apache.tika:tika-parser-pdf-module) 1.13 through 3.2.1

Description:

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika
1.13 through and including 3.2.1 on all platforms allows an attacker
to carry out XML External Entity injection via a crafted XFA file
inside of a PDF. An attacker may be able to read sensitive data or
trigger malicious requests to internal resources or third-party
servers. Note that the tika-parser-pdf-module is used as a dependency
in several Tika packages including at least:
tika-parsers-standard-modules, tika-parsers-standard-package,
tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Credit:

Paras Jain and Yakov Shafranovich of Amazon. (reporter)

References:

https://tika.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54988

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.