Apache Sling advisory regarding CVE-2025-66516

Vulnerability CVE-2025-66516 was reported against the Apache Tika project. This is a critical XXE (XML External Entity) vulnerability in Apache Tika that affects the tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules. The vulnerability allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This could potentially lead to unauthorized access to sensitive files, server-side request forgery (SSRF), or denial of service attacks.

The Sling Starter continues to use Tika 1.x due to backwards compatibility concerns. The migration from Tika 1.x to Tika 3.x involves changes to exported package versions that could break existing applications. The Apache Sling PMC is tracking the upgrade to Tika 3.x in SLING-12047 as a long-term task.

The Sling Starter still ships with Tika version 1.28.5, which is vulnerable to this CVE. However, the Apache Sling PMC has mitigated the risk by adding the org.apache.sling:org.apache.sling.jaxp-configurator bundle to the Sling Starter. This bundle disables the attack vector used by the vulnerability by enforcing best practices regarding XML parsing. The mitigation work is tracked in SLING-13085.

Sling Starter version 14 will include this mitigation by default.

The Apache Sling PMC strongly encourages including the org.apache.sling:org.apache.sling.jaxp-configurator bundle in your feature model and ensuring it is the first bundle to start up. For projects using a similar structure to the Sling Starter, it is recommended to add the jaxp-configurator as the first bundle in the boot.json feature file.