Improper Restriction of XML External Entity Reference

Summary

Critical XML External Entity (XXE) in Apache Tika tika-core versions 1.13 prior to 3.2.2, tika-pdf-module versions 2.0.0 prior to 3.2.2, and tika-parsers versions 1.13 prior to 2.0.0 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entry point for the vulnerability was the "tika-parser-pdf-module" as reported in CVE-2025-54988, the vulnerability and its fix were in "tika-core". Users who upgraded the "tika-parser-pdf-module" but did not upgrade "tika-core" to version 3.2.2 or later, would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the "PDFParser" was in the "org.apache.tika:tika-parsers" module.