Thanks for your answer Tilman. Two more questions: * When do you think 2.9.5 version will be officially released ? * Currently, I'm using version 1.28.5 without embedding tika-parsers in my classpath. Am I still vulnerable ? I think answer is yes, but if you could confirm this, that would be great.
Regards, Nicolas De : Tilman Hausherr <[email protected]> Envoyé : lundi 8 décembre 2025 10:26 À : [email protected] Objet : Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix version ? [EXTERNAL EMAIL] Also https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-app/2.9.5-SNAPSHOT/ Tilman Am 08.12.2025 um 10:24 schrieb Tilman Hausherr: No, but you can download an unofficial build here where this has been fixed and which uses the latest versions of libraries. https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-server/2.9.5-SNAPSHOT/ Tilman Am 08.12.2025 um 09:47 schrieb Nicolas Garcin via user: Hello, I understand that CVE-2025-66516 / CVE-2025-54988 are fixed in Tika 3.2.2. This is fine for the latest version of our software which is using Java 17, but older versions of our software are still in Java 8. Would it be possible to get a fix compatible with Java 8 ? I understood from https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond that Java 8 is not supported anymore, but knowing the criticity of the vuln, it would be great to have a fix for Java 8 as well. Thanks and Regards, Nicolas
