Critical Apache Tika Core Vulnerability Exploited Through Malicious PDF Uploads

A critical XML External Entity (XXE) injection vulnerability has been discovered in Apache Tika, affecting multiple versions of the widely-used content analysis toolkit.

The flaw allows attackers to exploit systems by uploading specially crafted PDF files containing malicious XFA (XML Forms Architecture) content.

Affected Versions and Components

The vulnerability impacts three key Apache Tika modules. The tika-core component (org.apache.tika:tika-core) versions 1.13 through 3.2.1 contains the core vulnerability.

The tika-parsers module (org.apache.tika:tika-parsers) versions 1.13 before 2.0.0 is affected in legacy 1.x releases.

Additionally, the tika-parser-pdf-module (org.apache.tika:tika-parser-pdf-module) versions 2.0.0 through 3.2.1 serves as the entry point for exploitation.

The vulnerability stems from improper handling of XML External Entity (XXE) processing when parsing XFA files embedded within PDF documents.

XXE attacks allow malicious actors to access sensitive data on affected systems, potentially leading to unauthorized file access, denial of service, or server-side request forgery.

The attack vector requires a threat actor to upload or submit a weaponized PDF file containing a crafted XFA component to a vulnerable Apache Tika instance.

This CVE expands upon the previously reported CVE-2025-54988 in two critical ways. First, while the initial vulnerability report identified the tika-parser-pdf-module as the entry point, the actual vulnerability and its fix reside in the tika-core module.

Organizations that upgraded only the PDF parser module without updating tika-core to version 3.2.2 or later remain vulnerable to exploitation.

Second, the original advisory failed to acknowledge that in Apache Tika 1.x releases, the PDFParser functionality was located in the org.apache.tika:tika-parsers module rather than a separate PDF-specific module. This oversight left numerous legacy deployments exposed to attack.

Organizations using affected Apache Tika versions should immediately upgrade to version 3.2.2 or later.

Security teams must ensure that both tika-core and any PDF parsing modules are updated simultaneously to eliminate the vulnerability.

System administrators should review access logs for suspicious PDF upload activity and implement additional input validation controls where possible.

The vulnerability was reported by security researchers Paras Jain and Yakov Shafranovich of Amazon, highlighting the importance of coordinated vulnerability disclosure in protecting enterprise software ecosystems.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Critical Apache Tika Core Vulnerability Exploited Through Malicious PDF Uploads appeared first on Cyber Security News.