{
  "threat_severity" : "Critical",
  "public_date" : "2025-08-20T20:08:49Z",
  "bugzilla" : {
    "description" : "org.apache.tika/tika-parser-pdf-module: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA",
    "id" : "2389910",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2389910"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-611",
  "details" : [ "Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.", "An XML External Entity injection flaw was found in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provide a crafted XFA file within a PDF, read sensitive data, or trigger malicious requests to internal resources or third-party servers." ],
  "statement" : "Within Red Hat products, the tika-parser-pdf-module is exclusively used for testing purposes at build time, it is not included in any shipped releases of Camel Spring Boot or JBoss EAP.",
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "tika-parser-pdf-module",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "tika-parser-pdf-module",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "tika-parser-pdf-module",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "tika-parser-pdf-module",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-54988\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-54988\nhttps://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w" ],
  "name" : "CVE-2025-54988",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}