Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

CVE-2025-66516: Detecting and Defending Against Apache Tika XXE Attack

Akamai customers have been protected from this vulnerability since December 11, 2025.

Share

Executive summary

CVE-2025-66516 is a newly discovered critical XML external entity (XXE) vulnerability in Apache Tika that allows attackers to exploit and abuse crafted XFA content that is embedded within PDF files. Because of unsafe XML parsing in tika-core, uploaded malicious PDF documents can trigger external entity resolution during document processing, potentially leading to sensitive file disclosure or outbound network access. 

This vulnerability affects and impacts multiple Tika modules and expands the scope of a previously reported issue, making any service that unsafely parses or processes untrusted PDFs with Apache Tika a very high-risk target.

Akamai has deployed an Akamai Adaptive Security Engine Rapid Rule to protect our customers from these threats.

Vulnerability details

A critical XML parsing flaw has been discovered in Apache Tika:

CVE-2025-66516 — XML external entity (XXE) injection via crafted PDFs

An attacker can embed malicious XML (XFA content) inside a PDF and upload it to a web server that processes documents using Apache Tika. Unsafe XML parsing may cause external entities to be unintentionally expanded during file processing, allowing the web server to read internal files or initiate unintended outbound network requests.

This can lead to sensitive data exposure or server-side request forgery (SSRF) in environments that handle untrusted documents, effectively turning routine document scanning into an attack surface and a data exposure risk.

Mitigation with Akamai App & API Protector

On December 11, 2025, Akamai deployed an Adaptive Security Engine Rapid Rule for Akamai App & API Protector customers to provide mitigation:

  • 3000980 — Apache Tika XML External Entity (XXE) Attack Detected (CVE-2025-66516)

Summary

Akamai has released a new App & API Protector rule to provide protection against a newly disclosed vulnerability that’s impacting multiple Apache Tika–based deployments.

However, the most effective defense will always be the prompt application of the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.

Stay tuned

The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.

Tags

Share

Related Blog Posts

Security Research
Conti’s Hacker Manuals — Read, Reviewed & Analyzed
April 05, 2022
Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, The ransomware group was the highest grossing of all ransomware groups in 2021, with an estimated revenue of at least 180 million dollars.
Security Research
What’s That Scraping Sound? How Web Scraper Bots Erode Ecommerce Profits
June 25, 2024
The SOTI report on ecommerce describes the economic impacts, detection challenges, and sophistication of web scraper bots.