On Apache Tika vulnerability CVE-2025-66516
- The fix was released in August.
- It's the same vulnerability as CVE-2025-54988 from August, they just issued a new CVE (which they probably shouldn't have) as they filed the scope wrong.
- It doesn't provide RCE. You can read local files with it as the Java user, e.g. /etc/passwd.
- Exploitation requires knowing a specific endpoint which processes PDFs to be vulnerable (so exploitation would be tailored).
It's not one to panic over.
It's worth noting with that proof of concept, they run the webapp in a way where it accepts a PDF.. and blindly sends the response back to the user wholesale, hence why you get file contents.
I can't imagine a real world scenario where you'd actually do it like that.