CVE-2025-54988
XML External Entity (XXE) Injection vulnerability in tika-parser-pdf-module (Maven)
What is CVE-2025-54988 About?
This XXE Injection vulnerability in Apache Tika (tika-parser-pdf-module) allows attackers to read sensitive data or trigger malicious requests to internal/third-party servers. It is caused by improper handling of crafted XFA files embedded within PDFs and is relatively easy to exploit with a specially prepared file.
Affected Software
- org.apache.tika:tika-parser-pdf-module
- >1.13, <3.2.2
- org.apache.tika:tika-parsers
- >1.13, <2.0.0-ALPHA
Technical Details
The vulnerability resides in the tika-parser-pdf-module of Apache Tika, affecting versions 1.13 through 3.2.1. An attacker can craft a PDF file containing an XFA (XML Forms Architecture) component. Within this XFA component, the attacker can embed external entity declarations (XXE payloads). When Apache Tika attempts to parse this crafted PDF, specifically the XFA part, it will resolve the external entities without proper validation or restriction. This allows the attacker to either retrieve local files from the server (e.g., /etc/passwd) or force the Tika server to make requests to internal network resources or external third-party servers, leading to SSRF.
What is the Impact of CVE-2025-54988?
Successful exploitation may allow attackers to read sensitive local files, access internal network resources, or cause the server to interact with external systems under attacker control, potentially leading to information disclosure, unauthorized access, or further network compromise.
What is the Exploitability of CVE-2025-54988?
Exploitation complexity is moderate, requiring the adversary to create a specially crafted PDF file containing an XFA component with an XXE payload. No authentication is typically required as this vulnerability affects file processing. The attacker needs to deliver the malicious PDF to a system that processes files using vulnerable Apache Tika versions. This is a remote exploitation scenario. The presence of a vulnerable Apache Tika instance and the ability to upload or submit a malicious PDF file are key prerequisites. The use of vulnerable tika-parser-pdf-module as a dependency in several Tika packages increases the attack surface.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| mgthuramoemyint | Link | A PDF generator for CVE-2025-54988 |
What are the Available Fixes for CVE-2025-54988?
Available Upgrade Options
- org.apache.tika:tika-parsers
- >1.13, <2.0.0-ALPHA → Upgrade to 2.0.0-ALPHA
- org.apache.tika:tika-parser-pdf-module
- >1.13, <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/stn9oh7rfn9yv76n1srxr9w56oy04p72
- https://github.com/apache/tika/pull/2291
- https://github.com/apache/tika/commit/2b52257304f4d3cde2b8463657380bdb936d9ef2
- https://github.com/apache/tika
- https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w
- https://issues.apache.org/jira/browse/TIKA-4459
- https://archive.apache.org/dist/tika/3.2.2/CHANGES-3.2.2.txt
- https://osv.dev/vulnerability/GHSA-p72g-pv48-7w9x
- https://nvd.nist.gov/vuln/detail/CVE-2025-54988
- https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w
What are Similar Vulnerabilities to CVE-2025-54988?
Similar Vulnerabilities: CVE-2023-38981 , CVE-2022-26130 , CVE-2021-43297 , CVE-2020-13936 , CVE-2019-12401
