Critical XXE Vulnerability (CVE-2025-66516) in Apache Tika with CVSS 10.0 Score Affects Multiple Modules

A critical XML External Entity (XXE) vulnerability has been identified in Apache Tika, tracked as CVE-2025-66516 with a maximum CVSS score of 10.0. This vulnerability affects multiple core components including tika-core (versions 1.13 to 3.2.1), tika-pdf-module (2.0.0 to 3.2.1), and tika-parsers (1.13 to 1.28.5) across all platforms. The issue stems from insecure XML processing that allows injection of malicious external entities. XXE vulnerabilities are particularly dangerous as they can lead to arbitrary file disclosure, server-side request forgery (SSRF), or denial-of-service attacks by exploiting improperly configured XML parsers. Given the CVSS 10.0 rating, this represents a critical risk requiring immediate attention. However, the source does not provide specific details regarding disclosure timeline or observed exploits in the wild. Cybersecurity professionals should prioritize patching affected systems immediately, as XXE vulnerabilities are often underestimated but can have severe consequences including data exfiltration and system compromise. Organizations unable to patch immediately should consider implementing XML parser hardening measures and network-level protections against external entity processing. The broad version range affected suggests this vulnerability may have been present in deployments for an extended period, increasing the potential attack surface.