Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix version ?

Mon, 08 Dec 2025 11:10:28 -0800 

Am 08.12.2025 um 18:47 schrieb Nicolas Garcin via user:


Hi Tilman,

All what we’re doing is trying to detect file MIME type by calling

MediaType detect(InputStream var1, Metadata var2) throws IOException;


Of Detector interface. We do not have anything else than tika-core 
1.28.5 in the classpath. So, my understanding is that we do not parse 
PDF. Correct ?




Yes.


Tilman



Be sure that we upgraded our software where it was possible, i.e., for 
versions compatible with Java 11+. For older versions, it’s obviously 
not possible.


Regards,

Nicolas

*De :*Tilman Hausherr <[email protected]>
*Envoyé :* lundi 8 décembre 2025 14:05
*À :* [email protected]

*Objet :* Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix 
version ?


[EXTERNAL EMAIL]

Am 08.12.2025 um 14:01 schrieb Nicolas Garcin via user:

    Thanks for your answer Tilman. Two more questions:

      * When do you think 2.9.5 version will be officially released ?

Never. 2.x  is over.

     *
      * Currently, I’m using version 1.28.5 without embedding
        tika-parsers in my classpath. Am I still vulnerable ? I think
        answer is yes, but if you could confirm this, that would be great.


Do you parse PDFs? Then you're vulnerable. You shouldn't use outdated 
software: https://en.wikipedia.org/wiki/2017_Equifax_data_breach


Tilman

     *

    Regards,

    Nicolas

    *De :*Tilman Hausherr <[email protected]>
    <mailto:[email protected]>
    *Envoyé :* lundi 8 décembre 2025 10:26
    *À :* [email protected]
    *Objet :* Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible
    fix version ?

    [EXTERNAL EMAIL]

    Also
    
https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-app/2.9.5-SNAPSHOT/

    Tilman

    Am 08.12.2025 um 10:24 schrieb Tilman Hausherr:

        No, but you can download an unofficial build here where this
        has been fixed and which uses the latest versions of libraries.

        
https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-server/2.9.5-SNAPSHOT/

        Tilman

        Am 08.12.2025 um 09:47 schrieb Nicolas Garcin via user:

            Hello,

            I understand that CVE-2025-66516 / CVE-2025-54988 are
            fixed in Tika 3.2.2. This is fine for the latest version
            of our software which is using Java 17, but older versions
            of our software are still in Java 8. Would it be possible
            to get a fix compatible with Java 8 ? I understood from
            
https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond
            that Java 8 is not supported anymore, but knowing the
            criticity of the vuln, it would be great to have a fix for
            Java 8 as well.

            Thanks and Regards,

            Nicolas























					Reply via email to