## https://sploitus.com/exploit?id=6A3ABA15-D6A9-58B9-AFAD-26F06B785BE9
# CVE-2025-66516: Minimized Verification Environment
This project is designed to test **CVE-2025-66516** (XML External Entity Injection vulnerability in Apache Tika). ## Vulnerability Overview
Apache Tika versions 3.2.1 and earlier failed to properly disable external entity loading when parsing PDF files containing XFA forms, resulting in an XXE vulnerability. Attackers can exploit this vulnerability by constructing malicious PDF files that read sensitive files on the server. ## Environment Requirements
- JDK 11+
- Maven
## How to Use
### 1. Generate a Malicious Payload
Run the `org.example.ExploitGenerator` class. This program will generate `poc-xxe.pdf` in the current directory.
- **Windows**: Try reading `C:/Windows/win.ini`.
- **Linux/Mac**: Try reading `/etc/passwd`.
### 2. Perform Vulnerability Verification
Run the `org.example.VulnerabilityVerifier` class. This program will use Tika to parse the generated `poc-xxe.pdf`. If a vulnerability exists, the console will display the content of the read file, wrapped in `HACKED_START` and `HACKED_END`. ## Fixing Suggestions
Upgrade Apache Tika to **3.3.0** or higher.