Share
## https://sploitus.com/exploit?id=6A3ABA15-D6A9-58B9-AFAD-26F06B785BE9
# CVE-2025-66516: Minimized Verification Environment

This project is designed to test **CVE-2025-66516** (XML External Entity Injection vulnerability in Apache Tika). ## Vulnerability Overview

Apache Tika versions 3.2.1 and earlier failed to properly disable external entity loading when parsing PDF files containing XFA forms, resulting in an XXE vulnerability. Attackers can exploit this vulnerability by constructing malicious PDF files that read sensitive files on the server. ## Environment Requirements

- JDK 11+
- Maven

## How to Use

### 1. Generate a Malicious Payload

Run the `org.example.ExploitGenerator` class. This program will generate `poc-xxe.pdf` in the current directory.  
- **Windows**: Try reading `C:/Windows/win.ini`.  
- **Linux/Mac**: Try reading `/etc/passwd`.

### 2. Perform Vulnerability Verification

Run the `org.example.VulnerabilityVerifier` class. This program will use Tika to parse the generated `poc-xxe.pdf`. If a vulnerability exists, the console will display the content of the read file, wrapped in `HACKED_START` and `HACKED_END`. ## Fixing Suggestions

Upgrade Apache Tika to **3.3.0** or higher.