Am 17.11.2025 um 10:19 schrieb Marco Matessi:
Hello all,
I noticed that Apache Jackrabbit OAK currently depends on Tika 1.28.5,
likely due to compatibility requirements with Lucene 4.7.2.
Actually AFAIU, it's blocked by the upgrade of slf4j to 2.x. That one is
non-trivial because it has breaking API changes
A new severe vulnerability has been reported in the PDF parser of
Tika: https://nvd.nist.gov/vuln/detail/CVE-2025-54988
Noted. See https://issues.apache.org/jira/browse/OAK-9752.
Since upgrading Tika may not be straightforward because of Lucene
compatibility, I would like to ask: Are there recommended approaches
or possible mitigations for this issue in OAK?
Looking forward to your thoughts.
Best regards, Marco
Best regards, Julian
