logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54988 org.apache.tika:tika-parser-pdf-module

Package

Manager: maven
Name: org.apache.tika:tika-parser-pdf-module
Vulnerable Version: >=1.13 <3.2.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00049 pctl0.14892

Details

Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Metadata

Created: 2025-08-20T21:30:27Z
Modified: 2025-08-21T15:41:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-p72g-pv48-7w9x/GHSA-p72g-pv48-7w9x.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-p72g-pv48-7w9x
Finding: F083
Auto approve: 1