A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability.

It affects the following Maven packages -

  • org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
  • org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

Cybersecurity

CVE-2025-66516 is assessed to be the same as CVE-2025-54988 (CVSS score: 8.4), another XXE flaw in the content detection and analysis framework that was patched by the project maintainers in August 2025. The new CVE, the Apache Tika team said, expands the scope of affected packages in two ways.

"First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core," the team said. "Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable."

"Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module."

In light of the criticality of the vulnerability, users are advised to apply the updates as soon as possible to mitigate potential threats.

Update

On December 11, 2025, Atlassian released updates for Bamboo Data Center and Server to address CVE-2025-66516. It has been fixed in the following versions -

  • 12.0.2 Data Center Only
  • 10.2.12 (LTS) recommended Data Center Only
  • 9.6.20 (LTS) Data Center Only

"This is a vulnerability in a non-Atlassian Bamboo dependency," the Australian-American software company said. "Atlassian's application of this dependency presents a lower, non-critical assessed risk."

(The story was updated after publication on December 15, 2025, to include Atlassian's fixes for the vulnerability in its products.)

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.