The Apache Software Foundation (ASF) has issued a new CVE identifier for a critical security flaw in Apache Tika because its original vulnerability disclosure failed to capture the full extent of affected components and left many users exposed despite applying the recommend patch.
The new maximum severity CVE-2025-66516 (CVSS score: 10) updates CVE-2025-54988, a Critical XML External Entity (XXE) flaw that ASF disclosed in August and described at the time as affecting Apache Tika 1.13 through 3.2.1. The new CVE-2025-66516 addresses the same underlying flaw but includes an expanded list of covered modules and clarifies where exactly the vulnerability resides.
Still Vulnerable to Apache Tika Flaw
“Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable,” ASF said in its description of CVE-2025-66516.
Apache Tika is an open source content analysis tool that can automatically recognize and extract text and metadata from PDFs, PowerPoint, Excel, Word, and hundreds of other file formats. Use cases for the tool include search engine indexing, translation, and feeding content into AI pipelines.
When the ASF disclosed CVE-2025-54988 in August, it characterized the vulnerability as enabling an attacker to “carry out XML External Entity injection via a crafted XFA file inside of a PDF.” The foundation described the vulnerability as present in the tika-parser-pdf-module and allowing an attacker to read sensitive data, trigger denial-of-service conditions and establish unauthorized connections to otherwise isolated internal and third party systems. “Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard,” the ASF reminded organizations using the tool.
The ASF said it expanded the vulnerability’s scope and issued a new CVE for two critical reasons. First, while CVE-2025-54988 identified the tika-parser-pdf-module as the vulnerability’s entry point and recommended upgrading that component, the actual flaw resides in tika-core, the ASF said. Organizations that upgraded only the PDF parser module following the initial advisory but failed to update tika-core to version 3.2.2 or later therefore remain vulnerable to exploitation, it warned.
Second, the original advisory overlooked that fact that in legacy 1.x Tika releases, the PDF Parser was located in the “org.apache.tika:tika-parsers” module rather than existing as a separate component, ASF said. This meant uses of older Tika versions had no clear guidance on the components that required patching.
Broader Impact
CVE-2025-66516 affects both Tika Core and Tika Parsers from versions 1.13 up to and including 3.2.1. The vulnerability also impacts the Apache Tika PDF Module versions 1.13 before 2.0.0, and 2.0.0 through 3.2.1. The ASF has fixed the issue in Tika 3.2.2 and later releases. Organizations need to upgrade to Tika Core to 3.2.2 or later to protect against the vulnerability. Updating the PDF module alone is insufficient according to the ASF.
CVE-2025-66516 is an example of how deeply embedded libraries like Apache Tika can create hidden risks across entire organizations due to complex transitive dependencies, where one component relies on another. Critical vulnerabilities in such tools can often have a cascading effect across an entire organization. It’s one reason why security experts recommend that organizations maintain detailed software bill of materials (SBOM) inventories and implement automated dependency scanning tools to track all components and their interdependencies.
