8.4 CVE-2025-54988

Exploit

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
https://nvd.nist.gov/vuln/detail/CVE-2025-54988

Categories

CWE-611 : Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. An acronym used for the term "XML eXternal Entities" Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Many XML parsers and validators can be configured to disable external entity expansion. Recruiter software allows reading arbitrary files using XXE A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script. XXE during SVG image conversion XXE in PHP application allows reading the application's configuration file. XXE in database server XXE in rapid web application development framework allows reading arbitrary files. XXE via XML-RPC request. XXE in office document product using RDF. XXE in web-based administration tool for database. XXE in product that performs large-scale data analysis. XXE in XSL stylesheet functionality in a common library used by some web browsers.

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/08/20/2
http://www.openwall.com/lists/oss-security/2025/08/20/3
https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html

security@apache.org

https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w Issue Tracking Mailing List Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:apache:tika::::::::	>= 1.13	< 3.2.2

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
https://github.com/mgthuramoemyint/POC-CVE-2025-54988

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
221	Data Serialization External Entities Blowup This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI. [Find target web service] The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML. [Host malicious file on a server] The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang. [Craft malicious data] Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file. [Send serialized data containing URI] The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee