Hi all, Apache Tika recently announced CVE-2025-66516 <https://nvd.nist.gov/vuln/detail/CVE-2025-66516>, a critical XXE (XML External Entity) vulnerability in their PDF parsers/modules. This vulnerability would allow an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. *This XXE vulnerability has been assigned the highest possible severity of 10.0*.
All versions of DSpace 7.x - 9.x use Apache Tika's PDF parsers to extract text from any PDF files that are deposited into DSpace. Therefore, it is possible that an attacker (with submitter privileges) could deposit a malicious PDF file into a DSpace site. *A malicious PDF may be able to exploit this vulnerability in order to write system information into the extracted text file, making it searchable/viewable to the attacker and others.* *We highly recommend all DSpace 7.x - 9.x sites perform ONE of the following actions:* - Temporarily disable all PDF-to-text extraction (until you can patch your site or upgrade). See GitHub ticket below for details. - Or, immediately patch your site to use Apache Tika 3.2.3 (which is a patched version that works well with DSpace). See GitHub ticket below for details. Details on how to protect your site can be found in this GitHub issue ticket: https://github.com/DSpace/DSpace/issues/11678 We are also working on finalizing DSpace maintenance releases (versions 7.6.6, 8.3 and 9.2), which will include the necessary update to Apache Tika 3.2.3 along with other recent bug fixes. These releases are expected to be announced sometime next week (Dec 15-19, 2025), hopefully by/on Wednesday. If you have any private questions about this notice, please feel free to reach out to the DSpace Committers via our security email address: [email protected] . Public questions are welcome on this mailing list or on the GitHub ticket. Sincerely, Tim *--* *Tim Donohue* (he/him) Technical Lead, DSpace DSpace.org <https://dspace.org/> | Lyrasis.org <https://lyrasis.org/> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/9d8864d3-22c3-47ef-b045-36f41b2fc863n%40googlegroups.com.
