Another maximum-severity vulnerability with the highest CVSS score of 10.0 has surfaced shortly after the recent React2Shell disclosure. Labeled CVE-2025-66516, the critical flaw affecting Apache Tika could expose systems to XML External Entity (XXE) attacks.
In 2025, Apache products were repeatedly targeted due to newly discovered vulnerabilities. Early in the year, CVE-2025-24813 demonstrated how quickly a critical Apache Tomcat flaw could be weaponized, with attackers exploiting unsafe deserialization for RCE on unpatched servers within just 30 hours of disclosure. Months later, two more vulnerabilities in Apache Tomcat, CVE-2025-55752 and CVE-2025-55754, surfaced, again leaving systems exposed to potential RCE attacks. At the end of 2025, another Apache critical flaw affecting a set of Tika components requires ultra-responsiveness from defenders to reduce the risks of exploitation.
Sign up for SOC Prime Platform, the vendor-agnostic product suite for real-time defendense, to explore an extensive collection of high-quality detection content and AI-native intelligence, backed by top industry expertise, to help SOC teams navigate the ever-evolving cyber threat landscape. Click Explore Detections to drill down to the comprehensive rule stack for vulnerability exploit detection conveniently filtered by the custom “CVE” tag.
Detection content can be converted to dozens of SIEM, EDR, and Data Lake solutions in an automated fashion and is mapped with MITRE ATT&CK®. Each content item is enriched with AI-native threat intelligence, such as CTI references, attack timelines, audit configurations, triage recommendations, and more metadata for streamlined threat research.
Moreover, Uncoder AI assists security teams in their daily detection engineering operations. Use the solution to instantly convert IOCs into performance-optimized hunting queries, craft detection code from raw threat reports, visualize Attack Flows, perform cross-platform translation, seamlessly validate syntax and detection logic, etc.
CVE-2025-66516 Analysis
A newly disclosed maximum-severity XXE vulnerability tracked as CVE-2025-66516 affects multiple Apache Tika components, including tika-core (1.13–3.2.1), tika-pdf-module (2.0.0–3.2.1), and tika-parsers (1.13–1.28.5), according to the corresponding vendor’s advisory. The flaw allows attackers to trigger XML External Entity injection by embedding a malicious XFA file inside a PDF.
XXE injection is a type of security flaw in which adversaries manipulate how an application handles XML input. By doing so, threat actors may gain unauthorized access to files on the server and, in certain scenarios, even execute code remotely.
CVE-2025-66516 represents the same underlying weakness as CVE-2025-54988 but significantly broadens the scope of impacted packages. Although the earlier CVE identified the entry point in the tika-parser-pdf-module, the root cause and fix reside in tika-core, meaning users who updated only the PDF parser without upgrading tika-core to version 3.2.2 or later remain exposed. Additionally, the original advisory did not account for the 1.x release line, where PDFParser resides in the “org.apache.tika:tika-parsers” module.
Given the severity of this flaw and its expanded impact across the Tika ecosystem, users should update all affected modules as urgent CVE-2025-66516 mitigation measures. SOC Prime curates its AI-Native Detection Intelligence Platform to help global organizations outscale cyber threats of any sophistication, including emerging CVEs and high-profile attacks. Leveraging SOC Prime’s product suite, defenders can integrate the full pipeline from detection to simulation directly into their security operations, take advantage of the world’s largest detection intelligence dataset to stay ahead of the latest threats, and explore the benefits of the innovative Shif-Left Detection approach to maximize resource effectiveness.
The post CVE-2025-66516: Maximum-Severity Vulnerability in Apache Tika Could Lead to XML External Entity Injection Attack appeared first on SOC Prime.
