That could enable attackers to steal sensitive data, launch denial-of-service attacks, or conduct server-side request forgery operations.
The vulnerability, tracked as CVE-2025-66516, affects tika-core versions 1.13.0 through 3.2.1 and carries a maximum CVSS severity score of 10.0.
Apache disclosed the flaw on December 4, 2025, prompting immediate concern among organizations that rely on the popular content analysis toolkit.
Apache Tika processes various document formats to extract metadata and text content. The vulnerability allows attackers to exploit XXE injection by embedding a malicious XFA file inside a PDF document.
When Tika processes this crafted file, it enables unauthorized access to internal resources.
| Field | Value |
|---|---|
| CVE-ID | CVE-2025-66516 |
| CVSS Score | 10.0 (Critical) |
| Vulnerability Type | XML External Entity (XXE) Injection |
| Attack Vector | Crafted XFA file inside PDF |
| Potential Impact | Data exfiltration, DoS, SSRF |
Successful exploitation permits remote attackers to read confidential files from vulnerable servers. Exhaust system resources to cause service disruptions, or abuse the server to make requests to internal network resources.
This could expose backend systems, databases, or cloud metadata endpoints that should remain protected behind firewalls.
Security research firm Censys identified 565 potentially vulnerable Tika Server instances accessible from the internet as of December 2025.
These exposed systems span multiple countries and represent a significant attack surface for threat actors scanning for unpatched installations.
Organizations running Apache Tika Server should immediately upgrade tika-core to version 3.2.2 or later. Applications that use Tika as a Maven dependency must also update tika-parsers to version 1.28.6 or higher, or tika-pdf-module to version 3.2.2 or higher.
No proof-of-concept exploit code has been publicly released, and no active exploitation has been reported at the time of disclosure.
However, given the critical severity and straightforward attack method, security teams should prioritize patching before attackers develop working exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 500+ Apache Tika Toolkit Instances Vulnerable to Critical XXE Attack Exposed Online appeared first on Cyber Security News.
OpenAI on March 5, 2026, released GPT-5.4, its most capable and efficient frontier model to…
A public proof-of-concept (PoC) exploit has been released for CVE-2026-20127, a maximum-severity zero-day vulnerability in Cisco…
ROCKFORD, Ill. (WTVO) — The Winnebago County Mental Health Board awarded over $1.6 million in…
Warning: This review contains full spoilers for The Pitt Season 2, Episode 9!Considering that The…
If you were having issues shopping on Amazon or loading your playlists on Amazon Music…
A Boone County crash involving extrication is under investigation.
This website uses cookies.