CVE-2025-54988: 
Java vulnerability analysis and mitigation

A critical XML External Entity (XXE) vulnerability has been discovered in Apache Tika's PDF parser module (tika-parser-pdf-module) affecting versions 1.13 through 3.2.1. The vulnerability was disclosed on August 20, 2025, and was assigned identifier CVE-2025-54988. The issue affects all platforms and impacts several Tika packages including tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard. The vulnerability was discovered by Paras Jain and Yakov Shafranovich of Amazon (Openwall OSS).

The vulnerability allows attackers to perform XML External Entity injection through a specially crafted XFA file embedded within a PDF document. The issue has been assigned CWE-611 (Improper Restriction of XML External Entity Reference) and received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The fix implemented in version 3.2.2 involves improving the configuration of XMLInputFactory by disabling DTD support and external entity processing (NVD Database, GitHub Commit).

The exploitation of this vulnerability could allow attackers to read sensitive data or trigger malicious requests to internal resources or third-party servers. Given the widespread use of Apache Tika as a dependency in various applications, the potential impact is significant (Debian Tracker).

Users are strongly recommended to upgrade to Apache Tika version 3.2.2, which contains the fix for this vulnerability. The fix has been implemented through commits that improve the configuration of XMLInputFactory by disabling DTD support and external entity processing (Openwall OSS).