Hello,
I'm one of the core contributor of the XWiki platform
(https://www.xwiki.org) which relies on Tika.
We got informed this morning through our automated checks about the
publication of CVE-2025-54988. We still haven't managed to finish our
migration to Tika 3.x because of the complex migration to Jakarta of all
the subsequent dependencies (see
https://jira.xwiki.org/browse/XWIKI-22595) meaning that we depend on
Tika 2.x which is affected by the CVE, apparently without any easy
workaround and without plan for releasing a bug fix if I understand
correctly what's been announced regarding the 2.x EOL.
So at this point we're trying to understand how much we're possibly
affected by this CVE: we're currently using the tika-parser-pdf-module
mainly in that class:
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-api/src/main/java/org/xwiki/search/solr/internal/metadata/AbstractSolrMetadataExtractor.java#L520-L543,
where we use it to perform indexing of PDF documents.
I've tried to look in the recents commits in
https://github.com/apache/tika/commits/3.2.2/tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pdf-module
to understand a bit better the vulnerability but I'm failing to see it,
and I haven't found anymore information in JIRA when browsing the
tickets fixed in 3.2.2.
So would that be possible to get more information about this
vulnerability, like a possible scenario of an exploit so that we can
check quickly if we're impacted or not?
Thanks,
Simon Urli.
- Request for information about CVE-2025-54988 Simon Urli
-
