Hello all, I noticed that Apache Jackrabbit OAK currently depends on Tika 1.28.5, likely due to compatibility requirements with Lucene 4.7.2.
A new severe vulnerability has been reported in the PDF parser of Tika: https://nvd.nist.gov/vuln/detail/CVE-2025-54988 Since upgrading Tika may not be straightforward because of Lucene compatibility, I would like to ask: Are there recommended approaches or possible mitigations for this issue in OAK? Looking forward to your thoughts. Best regards, Marco
