Enterprise Search XML external entity (XXE) injection in Apache Tika (ESA-2025-15)
On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provide a crafted XFA file within a PDF, read sensitive data, or trigger malicious requests to internal resources or third-party servers.
This issue affects Enterprise Search, however the severity is reduced from critical to high due to the attacker requiring authentication. Threat actors can trigger the Apache Tika XXE vulnerability in Enterprise Search by providing a malformed PDF to be ingested, which can trigger unauthorized requests to internal resources or third-party servers, or could be used to read sensitive data.
Affected Versions:
8.0.0 up to and including 8.19.2
Affected Configurations:
Only Workplace Search is affected. App Search and Elastic Crawler users are not affected.
Solutions and Mitigations:
Users should upgrade to version 8.18.6, 8.19.3.
Severity: CVSSv3.1: 8.8(High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MPR:L
CVE ID: CVE-2025-54988