Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2ad0b7ba-3a74-a21f-da8a-65d063ca2797@apache.org>
Date: Wed, 20 Aug 2025 19:45:49 +0000
From: Tim Allison <tallison@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability
 in PDFParser's handling of XFA 

Severity: critical 

Affected versions:

- Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module) 1.13 through 3.2.1

Description:

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Credit:

Paras Jain and Yakov Shafranovich of Amazon. (reporter)

References:

https://tika.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54988

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.