A security flaw in the widely-used Apache Tika XML document extraction utility, originally made public last summer, is wider in scope and more serious than first thought, the project’s maintainers have warned.
Their new alert relates to two entwined flaws, the first CVE-2025-54988 from August, rated 8.4 in severity, and the second, CVE-2025-66516 made public last week, rated 10.
CVE-2025-54988 is a weakness in the tika-parser-pdf-module used to process PDFs in Apache Tika from version 1.13 to and including version 3.2.1. It is one module in Tika’s wider ecosystem that is used to normalize data from 1,000 proprietary formats so that software tools can index and read them.
The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "THE1765231837",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': None,
'industry': 'Technology/Software',
'location': None,
'name': 'Apache Tika',
'size': None,
'type': 'Software Utility'}],
'attack_vector': 'Malicious PDF Processing',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': ['PDF'],
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'A security flaw in the widely-used Apache Tika '
'XML document extraction utility, originally made '
'public last summer, is wider in scope and more '
'serious than first thought. The new alert '
'relates to two entwined flaws: CVE-2025-54988 '
'(rated 8.4) and CVE-2025-66516 (rated 10). '
'CVE-2025-54988 is a weakness in the '
'tika-parser-pdf-module used to process PDFs in '
'Apache Tika from version 1.13 to 3.2.1.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Apache Tika versions 1.13 to '
'3.2.1'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Weakness in '
'tika-parser-pdf-module '
'for PDF processing'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Apache Tika Project',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Apache Tika XML Document Extraction Utility Security '
'Flaws',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': ['CVE-2025-54988', 'CVE-2025-66516']}