CVE-2025-66516¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
CVE-2025-66516 12 identifies a vulnerability in the tika-core dependency that allows an attacker to carry out XML External Entity injection via a crafted XFA file inside a PDF. The entrypoint for the exploitation is through the tika-parser-pdf-module (for 2.x versions) or tika-parsers (for 1.x versions). This CVE covers the same vulnerability as in CVE-2025-54988 34 which was reported against the tika-parser-pdf-module. CVE-2025-66516 redefines an expanded scope for the same CVE-2025-54988 vulnerability due to below reasons.
- Although only the
tika-parser-pdf-modulewas mentioned as affected by CVE-2025-54988 the vulnerability and the fix for it are intika-corecomponent5. Hence the users who only upgradedtika-parser-pdf-moduleto mitigate CVE-2025-54988 are still vulnerable. - In tika 1.x series the
PDFParsersclasses are in thetika-parsersmodule and the original CVE-2025-54988 had no mention of it.
In summary, CVE-2025-66516 is the same vulnerability as CVE-2025-54988 but with a revised scope for affected modules including tika-core (1.13-3.2.1), tika-parsers (1.13-1.28.5) and tika-pdf-parser-module (2.0.0-3.2.1).
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
WSO2 JUSTIFICATION¶
WSO2 API Manager uses tika-core component in publisher REST APIs to detect and validate the true MIME types of uploaded thumbnail and document files, thereby ensuring that users are uploading the correct and expected file formats. Furthermore, there is no usage of tika-parser-pdf-module nor tika-parsers in API Manager. Tika MIME type detection is not affected by the vulnerability and this has been confirmed by a Tika committer 6. Hence API Manager Product is not affected by CVE-2025-66516.
CONCLUSION¶
- WSO2 API Manager is not affected by the vulnerability CVE-2025-66516.