Source: tika Version: 1.22-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for tika. CVE-2025-54988[0]: | Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika | 1.13 through and including 3.2.1 on all platforms allows an attacker | to carry out XML External Entity injection via a crafted XFA file | inside of a PDF. An attacker may be able to read sensitive data or | trigger malicious requests to internal resources or third-party | servers. Note that the tika-parser-pdf-module is used as a | dependency in several Tika packages including at least: tika- | parsers-standard-modules, tika-parsers-standard-package, tika-app, | tika-grpc and tika-server-standard. Users are recommended to | upgrade to version 3.2.2, which fixes this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54988 https://www.cve.org/CVERecord?id=CVE-2025-54988 [1] https://www.openwall.com/lists/oss-security/2025/08/20/3 [2] https://github.com/apache/tika/commit/94acef2854eed07f0ded357c13a659409495ca49 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
