CVE-2025-66516

HIGH NUCLEI LAB

Apache Tika 1.13-3.2.1 and tika-parsers 1.13-1.28.5 - XML External Entity Injection via Crafted XFA in PDF

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-66516. PoCs published by chasingimpact, sid6224, intSheep. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-66516, an XXE vulnerability in Apache Tika. The exploit demonstrates file read, SSRF, and data exfiltration via crafted PDFs with malicious XFA content.

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Exploits (4)

nomisec WORKING POC 12 stars

by chasingimpact · poc

https://github.com/chasingimpact/CVE-2025-66516-Writeup-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-66516, an XXE vulnerability in Apache Tika. The exploit demonstrates file read, SSRF, and data exfiltration via crafted PDFs with malicious XFA content.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache Tika (versions 1.13 - 3.2.1)

No auth needed

Prerequisites: Target running vulnerable Apache Tika version · Ability to upload crafted PDF files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by sid6224 · poc

https://github.com/sid6224/CVE-2025-66516-POC

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-66516, an XXE vulnerability in Apache Tika's PDF parser. The PoC includes scripts to generate malicious PDFs and a Java application demonstrating the vulnerability.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache Tika < 3.2.2

No auth needed

Prerequisites: Apache Tika 3.2.1 or earlier · Java 17+ · Python for generating malicious PDFs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by intSheep · poc

https://github.com/intSheep/Tika-CVE-2025-66516-Lab

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-66516, an XXE vulnerability in Apache Tika 3.2.1 and earlier. It generates a malicious PDF with an XFA form containing an external entity reference to read sensitive files (e.g., `/etc/passwd` or `C:/Windows/win.ini`) and verifies the vulnerability by parsing the PDF with Tika.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache Tika <= 3.2.1

No auth needed

Prerequisites: JDK 11+ · Maven · Apache Tika <= 3.2.1 · File read permissions for target files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by yunatamos · poc

https://github.com/yunatamos/Blackash-CVE-2025-66516

View Code ZIP pw:eip

This repository contains a Python script that checks if a remote Apache Tika server is vulnerable to CVE-2025-66516 by querying the version header. It does not exploit the vulnerability but identifies vulnerable versions.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache Tika ≤ 3.2.1 / ≤ 1.28.5

No auth needed

Prerequisites: Network access to the target Apache Tika server

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Tika - XML External Entity Injection

HIGHVERIFIEDby MathematicianGoat

Shodan: title:"Apache Tika"

FOFA: title="Apache Tika"

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Third Party Advisory related

https://cve.org/CVERecord?id=CVE-2025-54988

Scores

CVSS v3 8.4

EPSS 0.0204

EPSS Percentile 84.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull eclipse-temurin:17-jre-jammy

https://github.com/yunatamos/Blackash-CVE-2025-66516

https://github.com/chasingimpact/CVE-2025-66516-Writeup-POC

https://github.com/sid6224/CVE-2025-66516-POC

+1 more repos

View in Library

Details

CWE

CWE-611

Status published

Products (4)

apache/tika 1.13 - 3.2.2

org.apache.tika/tika-core 1.13 - 3.2.2Maven

org.apache.tika/tika-parser-pdf-module 2.0.0 - 3.2.2Maven

org.apache.tika/tika-parsers 1.13 - 2.0.0Maven

Published Dec 04, 2025

Tracked Since Feb 18, 2026