CVE-2025-66516, a critical XXE vulnerability in Apache Tika’s core with CVSS 10.0, exposes organizations to data exfiltration and SSRF through malicious PDF uploads, affecting document processing pipelines in search, DLP, and collaboration tools. This flaw, expanding CVE-2025-54988, impacts tika-core 1.13–3.2.1 and dependents like tika-parsers and tika-app, amplifying risks in environments handling untrusted files.
Enterprise Exposure Scope
Tika integrates into high-volume file ingestion services, creating broad attack surfaces. Vulnerable deployments include:
- Content management systems (e.g., Alfresco, HCL Connections) using Tika for indexing.
- Email gateways and antivirus scanners parsing attachments.
- Cloud storage/metadata extractors in AWS S3 or Azure Blob processors.
- Custom Java apps with Maven/Gradle pulling vulnerable Tika artifacts.
Over 50% of Fortune 500 firms likely use Tika indirectly via OSS stacks, per vulnerability scanners like Qualys.
Exploitation chains into ransomware or lateral movement if internal services lack auth.
Prioritization for VM/GRC Teams
CISA KEV candidacy is probable given CVSS 10.0 and zero-day potential; monitor daily updates.In Qualys/Tenable:
- Query for “tika-core < 3.2.2” or QID matching CVE-2025-66516.
- Prioritize internet-facing parsers (CVSS Environmental score boosts to 10).
Attack surface reduction yields 80% risk drop pre-patch.
Mitigation Roadmap
- Immediate: Upgrade to tika-core 3.2.2+; rebuild/redeploy apps/servers.
- Defensive: Block PDF/XFA via config (
<parser class="org.apache.tika.parser.pdf.PDFParser"><param name="extractInlineImages" type="bool">false</param></parser>); WAF rules for<!ENTITYin PDFs. - Long-term: Shift-left scanning in CI/CD; runtime validation of XML parsers.
Unpatched systems face imminent compromise in phishing-heavy campaigns; act within 72 hours.
