From ab6829b924f6b9a4131f24cd52d94d092a8acd1b Mon Sep 17 00:00:00 2001 From: mbiuki Date: Wed, 7 Jan 2026 17:13:30 -0500 Subject: [PATCH] fix(security): upgrade Apache Tika to 3.2.2 to fix CVE-2025-66516 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CRITICAL Security Patch - CVSS 10.0 (Maximum Severity) Vulnerability Details: - CVE: CVE-2025-66516 - Type: XML External Entity (XXE) injection vulnerability - CVSS Score: 10.0 (Maximum severity) - Attack Vector: Malicious PDFs with XFA forms - Impact: Local file exfiltration and Server-Side Request Forgery (SSRF) Changes: - Upgraded Tika from 2.8.0 to 3.2.2 in tika-plugin module - Upgraded Tika from 1.28.5 to 3.2.2 in system-bundles module Testing: - Maven build successful: all dependencies resolved - No API breaking changes detected - All modules built without errors Related Issue: #34163 References: - NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66516 - Security Advisory: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- independent-projects/core-plugins/tika-plugin/pom.xml | 2 +- osgi-base/system-bundles/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/independent-projects/core-plugins/tika-plugin/pom.xml b/independent-projects/core-plugins/tika-plugin/pom.xml index 13a0d9fa661e..75cdcc3c5b82 100644 --- a/independent-projects/core-plugins/tika-plugin/pom.xml +++ b/independent-projects/core-plugins/tika-plugin/pom.xml @@ -13,7 +13,7 @@ 5.1.8 8.0.0 7.0.0 - 2.8.0 + 3.2.2 true diff --git a/osgi-base/system-bundles/pom.xml b/osgi-base/system-bundles/pom.xml index 6d254f664148..76b8e4642f8f 100644 --- a/osgi-base/system-bundles/pom.xml +++ b/osgi-base/system-bundles/pom.xml @@ -13,7 +13,7 @@ false - 1.28.5 + 3.2.2 1.3.6 9.4 2.7.0