CVE-2025-54988

HIGH 8.4

Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

CVSS Score

8.4

EPSS Score

0.0%

EPSS Percentile

0th

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

CWE	CWE-611
Vendor	apache software foundation
Product	apache tika pdf parser module
Published	Aug 20, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache tika pdf parser module

Be the first to know when new high vulnerabilities affecting apache software foundation apache tika pdf parser module are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Apache Software Foundation / Apache Tika PDF parser module

1.13 ≤ 3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html openwall.com: http://www.openwall.com/lists/oss-security/2025/08/20/2 openwall.com: http://www.openwall.com/lists/oss-security/2025/08/20/3

Credits

🔍 Paras Jain and Yakov Shafranovich of Amazon.