CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical XXE Vulnerability in Apache Tika (CVE-2025-66516)

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical XML External Entity (XXE) injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately. The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages and highlights the importance of upgrading both the tika-parser-pdf-module and tika-core to mitigate the risk. Atlassian has patched the vulnerability in its products, including Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The flaw can lead to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Timeline

  1. 05.12.2025 18:23 2 articles · 10d ago

    Critical XXE Vulnerability in Apache Tika (CVE-2025-66516) Disclosed

    A critical XXE injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately. The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages and highlights the importance of upgrading both the tika-parser-pdf-module and tika-core to mitigate the risk. Atlassian has patched the vulnerability in its products, including Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The flaw can lead to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

React2Shell vulnerability exploited by China-linked threat actors

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Open in new tab

OpenSSL Vulnerabilities in Versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd

The OpenSSL Project has released updates to fix three vulnerabilities in multiple versions of the OpenSSL library. The vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232, allow for private key recovery, arbitrary code execution, and denial-of-service (DoS) attacks. The most severe flaw, CVE-2025-9231, affects the SM2 algorithm implementation on 64-bit ARM platforms, potentially enabling attackers to recover private keys and decrypt encrypted traffic or conduct man-in-the-middle (MitM) attacks. The other two vulnerabilities, CVE-2025-9230 and CVE-2025-9232, have moderate and low severity ratings, respectively. The vulnerabilities were discovered in versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd of the OpenSSL library. The updates are available for immediate deployment to mitigate the risks associated with these vulnerabilities.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. Recently, CISA added a high-severity XML External Entity (XXE) flaw (CVE-2025-58360) in GeoServer to its KEV catalog due to evidence of active exploitation. This flaw affects versions prior to and including 2.25.5, and versions 2.26.0 through 2.26.1. Successful exploitation could allow attackers to access arbitrary files, conduct SSRF attacks, or launch DoS attacks. Federal agencies are advised to apply the required fixes by January 1, 2026. CISA has ordered federal agencies to patch the actively exploited GeoServer vulnerability (CVE-2025-58360) by January 1, 2026. The flaw is being actively exploited in XML External Entity (XXE) injection attacks, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems. The vulnerability is present in GeoServer 2.26.1 and prior versions and can be exploited through the /geoserver/wms operation GetMap endpoint.

Open in new tab

Active exploitation of critical SessionReaper flaw in Adobe Commerce and Magento Open Source

Adobe Commerce and Magento Open Source platforms are under active exploitation by hackers targeting the critical SessionReaper vulnerability (CVE-2025-54236). The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Despite the patch, hundreds of exploitation attempts have been recorded, with many stores remaining unpatched. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module. Over 250 Magento stores were hit overnight as hackers exploited the flaw, with attacks originating from five specific IP addresses. The attacks involved dropping PHP webshells or probing phpinfo to extract PHP configuration information. Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours.

Open in new tab

Sitecore Experience Platform Exploit Chain Combines Cache Poisoning and Remote Code Execution

Security researchers have disclosed three new vulnerabilities in the Sitecore Experience Platform. These flaws can be chained to achieve information disclosure and remote code execution. The vulnerabilities include HTML cache poisoning, remote code execution through insecure deserialization, and information disclosure via the ItemService API. The exploit chain leverages these vulnerabilities to compromise fully-patched instances of the platform. The vulnerabilities were patched by Sitecore in June and July 2025. The exploit chain involves using the ItemService API to enumerate cache keys, sending HTTP cache poisoning requests, and executing malicious code via an unrestricted BinaryFormatter call.

Open in new tab