Hi Tilman, All what we're doing is trying to detect file MIME type by calling
MediaType detect(InputStream var1, Metadata var2) throws IOException; Of Detector interface. We do not have anything else than tika-core 1.28.5 in the classpath. So, my understanding is that we do not parse PDF. Correct ? Be sure that we upgraded our software where it was possible, i.e., for versions compatible with Java 11+. For older versions, it's obviously not possible. Regards, Nicolas De : Tilman Hausherr <[email protected]> Envoyé : lundi 8 décembre 2025 14:05 À : [email protected] Objet : Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix version ? [EXTERNAL EMAIL] Am 08.12.2025 um 14:01 schrieb Nicolas Garcin via user: Thanks for your answer Tilman. Two more questions: * When do you think 2.9.5 version will be officially released ? Never. 2.x is over. * * Currently, I'm using version 1.28.5 without embedding tika-parsers in my classpath. Am I still vulnerable ? I think answer is yes, but if you could confirm this, that would be great. Do you parse PDFs? Then you're vulnerable. You shouldn't use outdated software: https://en.wikipedia.org/wiki/2017_Equifax_data_breach Tilman * Regards, Nicolas De : Tilman Hausherr <[email protected]><mailto:[email protected]> Envoyé : lundi 8 décembre 2025 10:26 À : [email protected]<mailto:[email protected]> Objet : Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix version ? [EXTERNAL EMAIL] Also https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-app/2.9.5-SNAPSHOT/ Tilman Am 08.12.2025 um 10:24 schrieb Tilman Hausherr: No, but you can download an unofficial build here where this has been fixed and which uses the latest versions of libraries. https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-server/2.9.5-SNAPSHOT/ Tilman Am 08.12.2025 um 09:47 schrieb Nicolas Garcin via user: Hello, I understand that CVE-2025-66516 / CVE-2025-54988 are fixed in Tika 3.2.2. This is fine for the latest version of our software which is using Java 17, but older versions of our software are still in Java 8. Would it be possible to get a fix compatible with Java 8 ? I understood from https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond that Java 8 is not supported anymore, but knowing the criticity of the vuln, it would be great to have a fix for Java 8 as well. Thanks and Regards, Nicolas
