CVE-2025-54988

Medienbericht

EPSS 0.02%
Veröffentlicht 20.08.2025 20:15:33
Zuletzt bearbeitet 04.11.2025 22:16:29
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tika Version >= 1.13 < 3.2.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.054

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@apache.org	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://www.heise.de/news/Sicherheitsupdates-Apache-HTTP-Server-und-Tika-sind-verwundbar-11105834.html

Media Report

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w

Vendor Advisory

Mailing List

Issue Tracking

https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html

http://www.openwall.com/lists/oss-security/2025/08/20/2

http://www.openwall.com/lists/oss-security/2025/08/20/3

https://nvd.nist.gov/vuln/detail/CVE-2025-54988

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54988

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54988

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54988