Hi Michael, As you may have seen, we've just announced that this CVE-2025-66516 *does potentially impact all DSpace 7.x-9.x sites*. See this email: https://groups.google.com/g/dspace-tech/c/nfU4TzAQq38
Thank you for sending this email to dspace-tech, as it did help to bring this Apache Tika vulnerability to our attention. This week we've been busily analyzing it, figuring out the impacts and the necessary patches, which is why I didn't respond until now. Thanks again! Please do patch your site or disable PDF-to-text extraction until you can do so (see the linked email for details) Tim On Monday, December 8, 2025 at 10:32:07 AM UTC-6 Michael Plate wrote: > Hi, > > this is going through the security news, also the problem seems to be > older : > > https://nvd.nist.gov/vuln/detail/CVE-2025-66516 > > It describes a vulnerability in Tika, which is used in DSpace to extract > text from bitstreams, mostly PDFs. > > I am not sure how this affects DSpace (if) . However, DSpace seems to be > bound to version 2.9.x - the fix exists only for version 3.2.2. > > The problem occurs when parsing XEE (XML external entity) - which might > be embedded into an uploaded item bitstream. > > > Michael > > > -- > Dipl.-Ing. Michael Plate, MA (LIS) > Universitätsbibliothek Kassel – Landesbibliothek und Murhardsche Bibliothek > der Stadt Kassel > Abteilung III Digitale Bibliotheksdienste > Gruppenleitung Bibliotheksspezifische Hard- und Software > Diagonale 10 > 34127 Kassel > Tel.: +49 561 804 3434 <+49%20561%208043434> > Fax: +49 561 804 7433 <+49%20561%208047433> > [email protected] > www.ub.uni-kassel.de > ORCID: https://orcid.org/0000-0001-7670-3034 > > Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte > Informationen > enthalten. Diese > Informationen sind ausschließlich für die bezeichnete/-n Person/en oder > Einrichtung/-en bestimmt. > Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist > Ihnen jede > Veröffentlichung, > Vervielfältigung oder Weitergabe untersagt. Haben Sie diese E-Mail > irrtümlich > erhalten, bitte ich Sie, > mich darüber in Kenntnis zu setzen, die E-Mail zurückzusenden und Ihr > Exemplar > zu vernichten. > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/a0b9939e-8e20-4199-acfe-10ed23f32420n%40googlegroups.com.
