Skip to content

Releases: sassoftware/tika

v2.9.4-SAS.0.0.1

16 Dec 17:45
@ledigiacomo ledigiacomo
v2.9.4-SAS.0.0.1
fefa5d7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.9.4-SAS.0.0.1 Latest
Latest 
Merge pull request #10 from sassoftware/pr-viya35-508

fix: add SAS version for release
Assets 4
Loading

Apache Tika 1.28.5 Security Release: CVE-2025-66516 & CVE-2025-54988

15 Dec 18:25
@JinwooHwang JinwooHwang
1.28.5-CVE-2025-66516-CVE-2025-54988
2b16342

Choose a tag to compare

View all tags
Apache Tika 1.28.5 Security Release: CVE-2025-66516 & CVE-2025-54988

Security Fixes for Apache Tika 1.28.5

Fixed XXE vulnerabilities in Apache Tika 1.28.5:

  • CVE-2025-66516 (CRITICAL CVSS 10.0): XXE in XMLInputFactory via XFA forms
  • CVE-2025-54988 (HIGH CVSS 8.4): XXE in TransformerFactory via XSLT

Changes

  • Hardened XMLReaderUtils.getXMLInputFactory() with ACCESS_EXTERNAL_DTD, SUPPORT_DTD, IS_SUPPORTING_EXTERNAL_ENTITIES
  • Added getTransformerFactory() with FEATURE_SECURE_PROCESSING and XXE protections
  • Added getSAXTransformerFactory() with identical XXE protections
  • Updated getTransformer() to use secure getTransformerFactory()

Test Coverage

  • 13 comprehensive CVE security tests (1101 lines)
  • All 276 tika-core + 47 tika-app tests passing
  • Java 8 compatible

Documentation

Complete vulnerability analysis and fix documentation available in the branch README.

Related

Loading

Apache Tika 2.9.4 - CVE-2025-66516 & CVE-2025-54988 Security Fixes

12 Dec 20:06
@JinwooHwang JinwooHwang
2.9.4-CVE-2025-66516-CVE-2025-54988
4c54360

Choose a tag to compare

View all tags
Apache Tika 2.9.4 - CVE-2025-66516 & CVE-2025-54988 Security Fixes

Security Fixes for Apache Tika 2.9.4

Fixed XXE vulnerabilities in Apache Tika 2.9.4:

CVE-2025-66516 (CRITICAL CVSS 10.0): XXE in XMLInputFactory via XFA forms
CVE-2025-54988 (HIGH CVSS 8.4): XXE in TransformerFactory via XSLT

Changes

• Hardened XMLReaderUtils.getXMLInputFactory() with ACCESS_EXTERNAL_DTD, SUPPORT_DTD, IS_SUPPORTING_EXTERNAL_ENTITIES
• Added getTransformerFactory() with FEATURE_SECURE_PROCESSING and XXE protections
• Added getSAXTransformerFactory() with identical XXE protections
• Updated getTransformer() to use secure getTransformerFactory()

Test Coverage

• 13 comprehensive CVE security tests
• All tika-core + tika-app tests passing

Documentation

Complete vulnerability analysis and fix documentation available in the branch README.

Related

• Fix for Apache Tika 1.28.5: https://github.com/sassoftware/tika/tree/1.28.5-CVE-2025-66516-CVE-2025-54988

Loading