CVE-2025-54988: 
Java vulnerability analysis and mitigation

A critical XML External Entity (XXE) injection vulnerability has been discovered in Apache Tika's PDF parser module (CVE-2025-54988). The vulnerability affects Apache Tika versions 1.13 through 3.2.1, specifically in the tika-parser-pdf-module component. The flaw allows attackers to perform XXE injection through crafted XFA files embedded within PDF documents. This vulnerability impacts multiple Tika packages including tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc, and tika-server-standard (NVD, Security Online).

The vulnerability stems from improper handling of XML Forms Architecture (XFA) data within PDF files processed by Apache Tika's PDF parser module. The issue has been assigned CWE-611 (Improper Restriction of XML External Entity Reference) and received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The root cause appears to be related to insecure default configurations in Java's XML parsing libraries, which require explicit security settings to prevent XXE attacks (Openwall).

When exploited, this vulnerability allows attackers to read sensitive files on the host system, perform server-side request forgery (SSRF) by sending malicious requests to internal resources, and potentially exfiltrate data to attacker-controlled servers. The widespread use of Apache Tika in applications such as search engine indexing, content analysis pipelines, automated translation systems, and enterprise document processing makes this vulnerability particularly concerning (Security Online).

The Apache Tika team has released version 3.2.2 which includes security fixes for this vulnerability. Users are strongly advised to upgrade to this version immediately. The fix involves improving the configuration of XMLInputFactory by disabling DTD support and external entity resolution (GitHub Commit).

Security researchers, including Hanno Böck, have noted that this vulnerability highlights a broader issue with Java's standard library XML parsing defaults. They argue that the root cause lies in Java's insecure-by-default XML parsing configuration, contrasting with other XML libraries that have adopted safer defaults (Openwall).