Hi, Would you mind confirming that CVE-2025-66516 is effectively the same as CVE-2025-54988? Our understanding was that 66516 was issued to clarify the affected packages (including tika-parsers 1.x) and the remediation steps (upgrading tika-core as well), but the underlying vulnerable code is the same. However, we noticed that the ASF submitted 54988 with a CVSSv3 score of 8.4 (high), while 66516 has a CVSSv4 score of 10.0 (critical). Given the severity of this vulnerability, we wanted to be completely sure whether these were the same and whether the mitigations mentioned in https://lists.apache.org/thread/qkgd43gjnb6gyzvbcq24lz98w0hod75g are still sufficient.
Thanks, Rajiv This communication and any information or attachments it contains is confidential and is intended solely for its designated recipient(s). If you received this email in error or are otherwise not the intended recipient, you are requested to notify the sender and permanently delete this message along with any attachments and copies immediately. The dissemination, copying or use of the contents of this communication by or to anyone other than its designated and intended recipient(s) is strictly prohibited and may be unlawful. More information can be found at https://www.cscglobal.com/service/csc/legal. For information about how we use your personal data, including your rights, please see our Privacy Notice and Data Processing Protocol at cscglobal.com/service/csc/privacy.
