Table of Contents
What Should Administrators Know About the Apache Tika Security Flaw Affecting Multiple Modules?
The Apache Software Foundation identified a serious security flaw in Apache Tika on December 4, 2025. This vulnerability, tracked as CVE-2025-66516, received the maximum severity rating of 10.0 on the CVSS scale. Tika serves as a content analysis toolkit that processes metadata from more than 1,000 file types.
The Core Problem
The original vulnerability CVE-2025-54988 was patched in August 2025 with a CVSS score of 8.4. However, the initial security advisory contained inaccurate information about which components required updates. This error left many systems exposed despite administrators believing they had applied necessary fixes.
The original report stated that updating the tika-parser-pdf module would resolve the issue. The actual vulnerability existed within tika-core, where the patch was applied. Organizations that updated only the PDF parser module without upgrading tika-core to version 3.2.2 or higher remain at risk.
Additional Scope Considerations
The initial advisory overlooked an important detail about Tika 1.x versions. In these earlier releases, the PDFParser existed within the org.apache.tika:tika-parsers module rather than as a separate component.
Affected Versions
Three module categories require attention:
- Apache Tika core (org.apache.tika:tika-core): versions 1.13 through 3.2.1
- Apache Tika parsers (org.apache.tika:tika-parsers): versions 1.13 before 2.0.0
- Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module): versions 2.0.0 through 3.2.1
Immediate Action Required
The severity of this vulnerability demands prompt remediation. Review your current Tika deployment to identify which modules and versions you’re running. Update all affected components to the latest patched versions. The maximum CVSS score indicates attackers could potentially exploit this flaw with significant impact.