SECURITY NOTICE: Critical vulnerability in Apache Tika impacts all versions of DSpace 7.x - 9.x.
65 views
Skip to first unread message
DSpace Technical Support
Dec 11, 2025, 12:50:28 PM (4 days ago) Dec 11
to DSpace Technical Support
Hi all,
Apache Tika recently announced CVE-2025-66516, a critical XXE (XML External Entity) vulnerability in their PDF parsers/modules. This vulnerability would allow an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This XXE vulnerability has been assigned the highest possible severity of 10.0.
All versions of DSpace 7.x - 9.x use Apache Tika's PDF parsers to extract text from any PDF files that are deposited into DSpace. Therefore, it is possible that an attacker (with submitter privileges) could deposit a malicious PDF file into a DSpace site. A malicious PDF may be able to exploit this vulnerability in order to write system information into the extracted text file, making it searchable/viewable to the attacker and others.
We highly recommend all DSpace 7.x - 9.x sites perform ONE of the following actions:
- Temporarily disable all PDF-to-text extraction (until you can patch your site or upgrade). See GitHub ticket below for details.
- Or, immediately patch your site to use Apache Tika 3.2.3 (which is a patched version that works well with DSpace). See GitHub ticket below for details.
Details on how to protect your site can be found in this GitHub issue ticket:
We are also working on finalizing DSpace maintenance releases (versions 7.6.6, 8.3 and 9.2), which will include the necessary update to Apache Tika 3.2.3 along with other recent bug fixes. These releases are expected to be announced sometime next week (Dec 15-19, 2025), hopefully by/on Wednesday.
If you have any private questions about this notice, please feel free to reach out to the DSpace Committers via our security email address: secu...@dspace.org . Public questions are welcome on this mailing list or on the GitHub ticket.
Reply all
Reply to author
Forward
0 new messages