The Apache Software Foundation discovered a serious security flaw in Apache Tika, a widely used open source tool for analyzing and extracting metadata from files. The vulnerability has the maximum CVSS score of 10.0 and could enable exploitation if systems are not fully updated.
Apache Tika supports more than a thousand file formats and is widely used in search engines, document management systems, and security software. In August, Apache reported a security issue with a lower severity rating, in which attackers could carry out an XML External Entity attack via a specially crafted PDF file. That vulnerability was fixed at the time, but it recently emerged that the problem was more widespread than initially thought, reports The Register.
According to Apache, a related and more serious bug, registered as CVE-2025-66516, has now been identified in a core component of Tika. The earlier problem was visible through the PDF parser module, but the underlying cause was in the central tiki-core component. As a result, users remained vulnerable if they only updated the parser and not the core library. The problem has only been completely resolved as of version 3.2.2 of tika-core.
Apache indicates that the original security advisory was incomplete. The advisory did not make clear how the various Tika modules were structured in older versions. In older releases, PDF parsers were part of a different module layout. This contributed to confusion about which updates were necessary. In newer versions, the structure of the project has been simplified, but users must check that all relevant components have been updated.
Administrators using Apache Tika are strongly advised to verify which versions are active in their environment and to implement updates where necessary. Due to the severity of the vulnerability, successful exploitation could have far-reaching consequences, depending on how Tika is integrated into underlying applications.
Previous hack denied
The warning follows shortly after earlier reports concerning Apache. In early November, the Apache Software Foundation announced that claims by the Akira ransomware group about an alleged hack of Apache OpenOffice were unfounded. According to Apache, there was no breach or data leak in that project.