CVE-2025-66516 Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5)
Article ID: 421964
Updated On:
Products
Issue/Introduction
Security scan report CVE-2025-66516 on vApp and standalone IGA 14.5 and 14.5.1
Affected Components:
- tika-core (v1.13–3.2.1) → Patched in 3.2.2
- tika-parser-pdf-module (v2.0.0–3.2.1) → Patched in 3.2.2
- tika-parsers (v1.13–<2.0.0) → Patched in 2.0.0
Environment
Identity Manager 14.5.1
Standalone
vApp
Cause
Resolution
Virtual Appliance and standalone does use the tika-core.jar but our application does not use tika-parsers or tika-parser-module.jars. We use MIME detection and we do not invoke any of the parsing functionality affected by this reported vulnerability. Both standalone and Virtual Appliance are not vulnerable. The information in CVE-2025-66516 can not be utilized in any form of attack against the IGA suite.
Follow your sites policy to "white list" this CVE as your scan will report this tika CVE in 14.5 and 14.5.1.
This CVE will not be reported in v15 as we use later versions of the tika parser. Migrate and upgrade to v15.
Feedback
