Critical Flaw in Apache Tika PDF Parser Exposes Sensitive Data to Attackers
gbhackersA critical XML External Entity (XXE) vulnerability has been discovered in Apache Tika’s PDF parser module, potentially allowing attackers to access sensitive data and compromise internal systems.
The flaw, tracked as CVE-2025-54988, affects a wide range of Apache Tika deployments and has prompted immediate security advisories from the Apache Software Foundation.
| Field | Value |
| CVE ID | CVE-2025-54988 |
| Severity | Critical |
| Affected Component | Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module) |
| Affected Versions | 1.13 through 3.2.1 |
| Fixed Version | 3.2.2 |
The security flaw resides in the PDFParser’s handling of XFA (XML Forms Architecture) content within PDF documents.
Attackers can exploit this vulnerability by crafting malicious XFA files embedded within PDF documents, enabling them to perform XML External Entity injection attacks.
This attack vector allows adversaries to read sensitive files from the target system, access internal network resources, or trigger requests to external servers under their control ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE