User avatar
Kevin Beaumont @GossiTheDog@cyberplace.social
6mo
Defer to @todb on this as CVE expert(tm) but shouldn't CVE-2025-66516 have been an update of CVE-2025-54988? It's the same vulnerability.

lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
1
0
0
0
User avatar
Kevin Beaumont @GossiTheDog@cyberplace.social
6mo
On Apache Tika vulnerability CVE-2025-66516

- The fix was released in August.

- It's the same vulnerability as CVE-2025-54988 from August, they just issued a new CVE (which they probably shouldn't have) as they filed the scope wrong.

- It doesn't provide RCE. You can read local files with it as the Java user, e.g. /etc/passwd.

- Exploitation requires knowing a specific endpoint which processes PDFs to be vulnerable (so exploitation would be tailored).

It's not one to panic over.
1
0
0
0
User avatar
Kevin Beaumont @GossiTheDog@cyberplace.social
6mo
There's a working proof of concept on Github, which appears vibe coded with AI. It introduces a deliberately vulnerable webapp.

It's pretty funny they posted about it in /r/cybersecurity but got downvoted to oblivion as their messaging was fucking awful.
1
0
0
0
User avatar
Kevin Beaumont @GossiTheDog@cyberplace.social
6mo
It's worth noting with that proof of concept, they run the webapp in a way where it accepts a PDF.. and blindly sends the response back to the user wholesale, hence why you get file contents.

I can't imagine a real world scenario where you'd actually do it like that.
1
0
0
0
User avatar
Kevin Beaumont @GossiTheDog@cyberplace.social
6mo
Here's the author's slightly bonkers Reddit post. I'll give you a spoiler, they didn't create this in 30 minutes - the README says so, it took them ages to make it vulnerable.
10
0
0
0
User avatar
sijmen @sijmen@shrimp.vijf.life
6mo
@GossiTheDog aaand it's gone
0
0
3
0