Elasticsearch XML external entity (XXE) injection in Apache Tika (ESA-2025-14)
On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provide a crafted XFA file within a PDF, read sensitive data, or trigger malicious requests to internal resources or third-party servers.
This issue affects Elasticsearch, however the severity is reduced from critical to high due to the attacker requiring authentication. Threat actors can trigger the Apache Tika XXE vulnerability in Elasticsearch by providing a malformed PDF to the ingest attachment processor, which can trigger unauthorized requests to internal resources or third-party servers, or could be used to read sensitive data.
Affected Versions:
8.18.0 up to and including 8.18.5, 8.19.0 up to and including 8.19.2, 9.0.0 up to and including 9.0.5, 9.1.0 up to and including 9.1.2
Affected Configurations:
Elasticsearch is affected by this only when using the ingest attachment processor.
For ​​versions of Elasticsearch that use the Java Security Manager, which include 8.17.8 and below, the risk is mitigated as the Java Security Manager prevents the exploitation of the vulnerability.
Solutions and Mitigations:
Users should upgrade to version 8.18.6, 8.19.3, 9.0.6, and 9.1.3.
For Users that Cannot Upgrade:
We strongly recommend users to upgrade. The following workarounds will mitigate the security issue but can have a serious impact on data ingestion.
Users that cannot upgrade could delete any ingest pipelines that call the “attachment” processor and handle untrusted PDF files. Note that this can cause ingest to fail or will produce data that has bypassed any enrichment or transformation logic that existed in the deleted pipelines.
-
Find all pipelines that have an attachment processor with the Get Ingest Pipelines API:
GET _ingest/pipelineThis will return all pipelines in the system, with the key of each top-level object being the pipeline name.
-
Look for any processors in the result that are labeled “attachment”, and record the pipeline name.
-
Attempt to delete each of those pipelines with the Delete Ingest Pipeline API to delete the pipeline:
DELETE _ingest/pipeline/pipeline1
Note that built-in pipelines, like search-default-ingestion, cannot be deleted. Calling the Delete Ingest Pipeline API will report success but the pipeline will be immediately recreated.
Also ,attempts to delete some pipelines will fail with an “illegal_argument_exception” because those pipelines are configured to be the default or final pipeline of an index.
An alternative is to delete the ingest attachment module on each Elasticsearch server, with the impact of any pipeline that uses the attachment processor failing. This means that any pipelines that transform data from various formats like Word, Excel, or PDF files would fail. Customers would not be able to ingest this data. Attempts to do so would get an HTTP response with status code “500”, and a root cause type of illegal_state_exception. This workaround can only be applied on Self-Hosted Elasticsearch Clusters.
-
On each Elasticsearch node in a cluster, change to the Elasticsearch installations’s top-level directory
-
Delete the ingest attachment module by calling “rm -Rf modules/ingest-attachment"
-
Restart the Elasticsearch server
Severity: CVSSv3.1: 8.8(High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MPR:L
CVE ID: CVE-2025-54988