Apache Solr extraction module vulnerable to XXE attacks via XFA content in PDFs (CVE-2025-66516) | News | KandaSearch

NEWS

  • Top
  • News
  • Apache Solr extraction module vulnerable to XXE attacks via XFA content in PDFs (CVE-2025-66516)

Apache Solr extraction module vulnerable to XXE attacks via XFA content in PDFs (CVE-2025-66516)

  

Posted: December 24, 2025

    

Vendor:

The Apache Software Foundation

Severity:

High

Versions Affected:

  • Apache Solr 6.2.0 through 9.10.0 (when using the extraction module)

Description:

Solr's extraction module (SolrCell) uses Apache Tika to extract content from PDF files. A vulnerability in Tika allows attackers to submit specially crafted PDFs that can read files from the server.

Who is affected:

  • Solr instances using the extraction module with the 'local' backend (default)
  • Systems that allow untrusted users to upload PDF files for indexing

Who is NOT affected:

  • Solr instances not using the extraction module
  • Deployments using the TikaServer extraction backend in Solr 9.10

Impact:

  • Solr 6.2-8.x: Attackers can read arbitrary system files (e.g., /etc/passwd, application secrets)
  • Solr 9.x: The Java Security Manager (enabled by default) limits file access to Solr's directories only, reducing impact. However, Solr configuration files and indexed data remain at risk.
  • All versions: Possible denial of service and limited network requests

Mitigation:

Disable XFA form parsing in PDFs by configuring a parseContext file.

Step 1: Create or edit parseContext.xml in your configset's conf/ directory:

<?xml version="1.0" ?>
<entries>
  <entry class="org.apache.tika.parser.pdf.PDFParserConfig" impl="org.apache.tika.parser.pdf.PDFParserConfig">
    <property name="extractAcroFormContent" value="false"/>
  </entry>
</entries>

Step 2: Reference this file in your extraction handler in solrconfig.xml:

<requestHandler name="/update/extract" class="org.apache.solr.handler.extraction.ExtractingRequestHandler">
  <str name="parseContext.config">parseContext.xml</str>
</requestHandler>

Step 3: Reload your collection or restart Solr.

Note: Solr 9.10.1 and later (once available) will include this mitigation by default.

Credit:

Apache Tika Security Team (vulnerability discovery)

References:

Original source

https://solr.apache.org/security.html#cve-2025-66516-apache-solr-extraction-module-vulnerable-to-xxe-attacks-via-xfa-content-in-pdfs

Return to the news list

For estimates and details,
please feel free to contact our development team.

Contact Us
TOP