CVE-2025-66516: Tika Taka Boom: The Core XXE Hiding in Your PDFs

Tika Taka Boom: The Core XXE Hiding in Your PDFs

Vulnerability ID: CVE-2025-66516
CVSS Score: 8.4
Published: 2025-12-04

Apache Tika, the ubiquitously trusted content analysis toolkit, suffers from a critical XML External Entity (XXE) vulnerability within its core library. Specifically affecting how Tika handles XFA (XML Forms Architecture) data embedded within PDF files, this flaw allows attackers to exfiltrate local files or perform Server-Side Request Forgery (SSRF) simply by submitting a malicious document. This is a scope expansion of the earlier CVE-2025-54988, revealing that the rot wasn't just in the PDF module, but deep in tika-core.

TL;DR

Critical XXE in Apache Tika (tika-core < 3.2.2). Attackers can embed malicious XML payloads inside PDF XFA forms. When Tika parses the PDF to extract metadata or text, the XML payload triggers, allowing file read (LFI) or network requests (SSRF). Upgrade tika-core immediately.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-611
• Attack Vector: Network (via File Upload)
• CVSS: 8.4 (High)
• EPSS Score: 2.73% (High Percentile)
• Impact: Information Disclosure / SSRF
• Exploit Status: PoC Available / Active
• Patch Status: Fixed in 3.2.2

Affected Systems

• Apache Tika Core < 3.2.2
• Apache Tika PDF Module < 3.2.2
• Apache Tika Parsers (1.x branch)
• Enterprise Search (Solr, Elasticsearch) using vulnerable Tika plugins
• Content Management Systems (CMS) with document preview features
• Apache Tika Core: 1.13 - 3.2.1 (Fixed in: 3.2.2)
• Apache Tika PDF Module: 2.0.0 - 3.2.1 (Fixed in: 3.2.2)

Exploit Details

• GitHub (chasingimpact): Full writeup and PoC generation script
• Nuclei Templates: Automated detection template using base64 encoded PDF payload

Mitigation Strategies

• Upgrade tika-core to 3.2.2+
• Restrict network egress for Tika servers (block access to 169.254.169.254)
• Run Tika in an isolated sandbox or container with minimal file system permissions
• Disable XFA parsing if not business-critical (requires custom code config)

Remediation Steps:

1. Identify all applications using Apache Tika via SCA tools.
2. Force update tika-core to version 3.2.2 in pom.xml or build.gradle.
3. Rebuild and redeploy the application.
4. Verify the fix by re-running the Nuclei PoC against a staging environment.

References

• NVD Detail
• Picus Security Deep Dive

---

Read the full report for CVE-2025-66516 on our website for more details including interactive diagrams and full exploit analysis.