You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Customer security teams escalated CVE-2025-66516 (Apache Tika XFA XXE/SSRF) that exposes file read and SSRF vectors in our bundled Tika plugin.
dotCMS currently ships Apache Tika 2.8.0 via independent-projects/core-plugins/tika-plugin/pom.xml and 1.28.5 in osgi-base/system-bundles/pom.xml, both of which are vulnerable.
We must upgrade every Tika artifact we publish (core plugin, shaded bundles, docker images) to the patched Tika release and communicate availability to customers.
osgi-base/system-bundles/pom.xml still references 1.28.5 when embedding the plugin.
Vulnerability allows malicious PDFs with XFA forms to exfiltrate local files and perform SSRF once parsed. Public PoC already exists.
Acceptance Criteria
Upgrade all Apache Tika dependencies (core + parsers) to the first fixed version (latest 2.x containing the XXE patch; confirm upstream release notes).
Ensure OSGi/system bundle packaging embeds the updated plugin and no longer distributes prior versions.
Rebuild/publish patched dotCMS containers or plugins and update dev.dotcms.com/docs/known-security-issues with mitigation guidance.
Add regression coverage (unit or integration) around PDF ingestion to ensure no parsing regressions with the new Tika.
Communicate availability to Support for responding to ticket 34718.
