Publish GHSA-f58c-gq56-vjjf

advisory-database[bot] · advisory-database[bot] · commit 3942060af1ab · 2025-12-05T02:27:37.000Z
diff --git a/advisories/github-reviewed/2025/12/GHSA-f58c-gq56-vjjf/GHSA-f58c-gq56-vjjf.json b/advisories/github-reviewed/2025/12/GHSA-f58c-gq56-vjjf/GHSA-f58c-gq56-vjjf.json
@@ -1,19 +1,84 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f58c-gq56-vjjf",
-  "modified": "2025-12-04T18:30:54Z",
+  "modified": "2025-12-05T02:26:56Z",
   "published": "2025-12-04T18:30:54Z",
   "aliases": [
     "CVE-2025-66516"
   ],
+  "summary": "Apache Tika has XXE vulnerability",
   "details": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tika:tika-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.13"
+            },
+            {
+              "fixed": "3.2.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.2.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tika:tika-parsers"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.13"
+            },
+            {
+              "fixed": "2.0.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tika:tika-parser-pdf-module"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "3.2.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.2.1"
+      }
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +88,10 @@
       "type": "WEB",
       "url": "https://cve.org/CVERecord?id=CVE-2025-54988"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/tika"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
@@ -33,8 +102,8 @@
       "CWE-611"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-05T02:24:30Z",
     "nvd_published_at": "2025-12-04T17:15:57Z"
   }
 }
