This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/master by this push:
new ddcc04f53 Add advisory regarding CVE-2025-66516
ddcc04f53 is described below
commit ddcc04f537ff4a4dec5b57f4fad46f24ef211b32
Author: Robert Munteanu <[email protected]>
AuthorDate: Mon Feb 9 14:04:02 2026 +0100
Add advisory regarding CVE-2025-66516
---
src/main/jbake/content/news.md | 1 +
src/main/jbake/content/security/CVE-2025-66516.md | 32 +++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/src/main/jbake/content/news.md b/src/main/jbake/content/news.md
index b833f34ba..d11035a14 100644
--- a/src/main/jbake/content/news.md
+++ b/src/main/jbake/content/news.md
@@ -5,6 +5,7 @@ tags=news
tableOfContents=false
~~~~~~
+* Security Advisory: [Apache Sling advisory regarding
CVE-2025-66516](./security/CVE-2025-66516.html)
* Apache Sling now supports Jakarta Servlet API 6.1 (June 28th)
* Released [Apache Sling 13](/news/sling-13-released.html) (January 17th,
2025).
* Security Advisory: [Apache Sling advisory regarding
CVE-2023-6378](./security/CVE-2023-6378.html)
diff --git a/src/main/jbake/content/security/CVE-2025-66516.md
b/src/main/jbake/content/security/CVE-2025-66516.md
new file mode 100644
index 000000000..3a2818c37
--- /dev/null
+++ b/src/main/jbake/content/security/CVE-2025-66516.md
@@ -0,0 +1,32 @@
+title=Apache Sling advisory regarding CVE-2025-66516
+type=page
+status=published
+tags=security
+tableOfContents=false
+~~~~~~
+
+Vulnerability
[CVE-2025-66516](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66516)
was
+reported against the Apache Tika project. This is a critical XXE (XML External
Entity) vulnerability
+in Apache Tika that affects the tika-core (1.13-3.2.1), tika-pdf-module
(2.0.0-3.2.1) and tika-parsers
+(1.13-1.28.5) modules. The vulnerability allows an attacker to carry out XML
External Entity injection
+via a crafted XFA file inside of a PDF. This could potentially lead to
unauthorized access to sensitive
+files, server-side request forgery (SSRF), or denial of service attacks.
+
+The Sling Starter continues to use Tika 1.x due to backwards compatibility
concerns. The migration
+from Tika 1.x to Tika 3.x involves changes to exported package versions that
could break existing
+applications. The Apache Sling PMC is tracking the upgrade to Tika 3.x in
+[SLING-12047](https://issues.apache.org/jira/browse/SLING-12047) as a
long-term task.
+
+The Sling Starter still ships with Tika version 1.28.5, which is vulnerable to
this CVE. However,
+the Apache Sling PMC has mitigated the risk by adding the
+[org.apache.sling:org.apache.sling.jaxp-configurator](https://github.com/apache/sling-org-apache-sling-jaxp-configurator)
+bundle to the Sling Starter. This bundle disables the attack vector used by
the vulnerability by
+enforcing best practices regarding XML parsing. The mitigation work is tracked
in
+[SLING-13085](https://issues.apache.org/jira/browse/SLING-13085).
+
+Sling Starter version 14 will include this mitigation by default.
+
+The Apache Sling PMC strongly encourages including the
`org.apache.sling:org.apache.sling.jaxp-configurator`
+bundle in your feature model and ensuring it is the first bundle to start up.
For projects using a similar structure
+to the Sling Starter, it is recommended to add the jaxp-configurator as the
first bundle in the
+boot.json feature file.
