CVE-2025-66516

satyam_mishra · December 16, 2025, 1:18pm

Is elasticsearch impacted by CVE-2025-66516 any version ?

Rios · December 16, 2025, 11:23pm

The directory: elasticsearch/modules/ingest-attachment contains around 11 tika libs.
According to GH, the version >8.18 and >9.0 are upgraded with tika 3.2.2 in the ingest-attachment processor, should not be impacted.

However, you should wait for the official Elastic respond.

Keith_Massey · December 17, 2025, 4:09pm

All supported versions are safe from this bug because they have been upgraded to tika 3.2.2 (Upgrading to tika 3.2.2 by masseyke · Pull Request #133410 · elastic/elasticsearch · GitHub). This includes 8.18.6+, 8.19.3+, 9.0.7+, 9.1.0, and anything higher than 9.1.0. We have also updated the low-level entitlements code in all supported versions to exclude java.xml from receiving the same broad privileges that the rest of the JVM has, in case some bug like this is re-introduced in tika in the future (https://github.com/elastic/elasticsearch/pull/133671).

Older versions of Elasticsearch (pre 8.18) are actually immune to this because the Java security manager prevented the java.xml package from doing anything dangerous.

Topic		Replies	Views
Elasticsearch 8.18.6, 8.19.3, 9.0.6, and 9.1.3 Security Update (ESA-2025-14) (CVE-2025-54988) Security Announcements	0	3118	August 28, 2025
JRE 24 vulnerability Elasticsearch	2	197	August 13, 2025
Bitbucket and Elastic security question! Elasticsearch	4	1089	March 11, 2022
Elasticsearch 5.6.6 security vulnerability log4j Elasticsearch	1	485	January 11, 2022
Elasticsearch directory traversal vulnerability CVE-2015-5531 Security Announcements	1	4561	July 6, 2017

CVE-2025-66516

Related topics