SCA: security update for org.apache.tika:tika-core, org.apache.tika:tika-parser-pdf-module, org.apache.tika:tika-parsers (GHSA-f58c-gq56-vjjf)

critical Tenable Self-Hosted Container Security Plugin ID 436264

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers
(1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a
crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However,
this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the
vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix
were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2
would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases,
the PDFParser was in the "org.apache.tika:tika-parsers" module. (CVE-2025-66516)

See Also

https://github.com/advisories/GHSA-f58c-gq56-vjjf

Plugin Details

Severity: Critical

ID: 436264

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 12/5/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-66516

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 10

Threat Score: 9.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2025

Vulnerability Publication Date: 12/4/2025

Reference Information

CVE: CVE-2025-66516

cwe: CWE-611