A critical security vulnerability has been identified in the Apache Tika content analysis toolkit. The flaw, tracked as CVE-2025-66516, is an XML External Entity (XXE) injection bug and has received the highest possible severity score.

The discovery has prompted calls for immediate action from administrators and developers who utilize the Apache Tika library in their applications and systems.

Vulnerability Details: CVE-2025-66516

The vulnerability is classified as an XML External Entity, or XXE, injection. This type of flaw relates to how an application processes XML input. According to the public disclosure, CVE-2025-66516 has been assigned a Common Vulnerability Scoring System (CVSS) score of 10.0. A score of 10.0 is the maximum rating and designates the vulnerability as critical in severity.

Affected Versions and Mitigation

The flaw impacts the Apache Tika toolkit, a library used for detecting and extracting metadata and text from a wide range of file types. In response to the identification of CVE-2025-66516, an urgent patch is required to remediate the security issue. Users of Apache Tika are directed to apply the necessary security updates to protect their environments from this critical vulnerability.

Source: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html