Skip to content

Update dependency org.apache.tika:tika-core to v3 [SECURITY]#402

Open
renovate[bot] wants to merge 2 commits into
masterfrom
renovate/maven-org.apache.tika-tika-core-vulnerability
Open

Update dependency org.apache.tika:tika-core to v3 [SECURITY]#402
renovate[bot] wants to merge 2 commits into
masterfrom
renovate/maven-org.apache.tika-tika-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Dec 5, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.apache.tika:tika-core (source) 1.28.53.2.2 age confidence

Apache Tika has XXE vulnerability

CVE-2025-66516 / GHSA-f58c-gq56-vjjf

More information

Details

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Severity

  • CVSS Score: 10.0 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

apache/tika (org.apache.tika:tika-core)

v3.2.2

Compare Source

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.0

Compare Source

v3.0.0

Compare Source

v2.9.4

Compare Source

v2.9.3

Compare Source

v2.9.2

Compare Source

v2.9.1

Compare Source

v2.9.0

Compare Source

v2.8.0

Compare Source

v2.7.0

Compare Source

v2.6.0

Compare Source

v2.5.0

Compare Source

v2.4.1

Compare Source

v2.4.0

Compare Source

v2.3.0

Compare Source

v2.2.1

Compare Source

v2.2.0

Compare Source

v2.1.0

Compare Source

v2.0.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies A PR that updates dependencies - used by Release Drafter label Dec 5, 2025
@renovate
renovate Bot enabled auto-merge (squash) December 5, 2025 02:27
@renovate
renovate Bot force-pushed the renovate/maven-org.apache.tika-tika-core-vulnerability branch from 2d0ba9c to 80defc7 Compare February 2, 2026 16:49
@renovate
renovate Bot force-pushed the renovate/maven-org.apache.tika-tika-core-vulnerability branch from 80defc7 to d6af288 Compare February 12, 2026 15:31
@renovate renovate Bot changed the title Update dependency org.apache.tika:tika-core to v3 [SECURITY] Update dependency org.apache.tika:tika-core to v3 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 01:49

Pull request was closed

@renovate
renovate Bot deleted the renovate/maven-org.apache.tika-tika-core-vulnerability branch March 27, 2026 01:49
@renovate renovate Bot changed the title Update dependency org.apache.tika:tika-core to v3 [SECURITY] - autoclosed Update dependency org.apache.tika:tika-core to v3 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/maven-org.apache.tika-tika-core-vulnerability branch 2 times, most recently from d6af288 to d48d13e Compare March 30, 2026 21:27
@renovate
renovate Bot enabled auto-merge (squash) May 14, 2026 18:07
@renovate
renovate Bot force-pushed the renovate/maven-org.apache.tika-tika-core-vulnerability branch from d48d13e to d872af7 Compare May 14, 2026 18:07
@renovate
renovate Bot force-pushed the renovate/maven-org.apache.tika-tika-core-vulnerability branch from d872af7 to 607c490 Compare June 8, 2026 04:11
@timja

timja commented Jun 8, 2026

Copy link
Copy Markdown
Member

@copilot can you fix the build here?

auto-merge was automatically disabled June 8, 2026 08:21

Head branch was pushed to by a user without write access

Copilot AI commented Jun 8, 2026

Copy link
Copy Markdown

@copilot can you fix the build here?

Pushed a fix in f9dc73d that keeps tika-core at 3.2.2 and adds an explicit commons-io:2.20.0 dependency to align Tika 3.x requirements and unblock the build.

Copilot finished work on behalf of timja June 8, 2026 08:22
Copilot AI requested a review from timja June 8, 2026 08:22
@renovate

renovate Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies A PR that updates dependencies - used by Release Drafter

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants