XXE in Apache Tika tika-parser-pdf-module via crafted XFA in PDF

This repository is a proof-of-concept (PoC) project for demonstrating an XXE (XML External Entity) vulnerability in Apache Tika version 3.2.1 (CVE-2025-54988). The project is a Java Spring Boot application that exposes HTTP endpoints for file upload and processing. The main endpoint of interest is /api/extract-text, which uses Apache Tika to extract text from uploaded files. If a specially crafted malicious PDF is uploaded to this endpoint, it will trigger the XXE vulnerability in Tika, potentially allowing attackers to read arbitrary files or perform other XXE-based attacks. The repository includes Docker support for easy deployment, as well as scripts for building and running the application. The codebase is small, with the main logic contained in TikaController.java. The /api/detect-type endpoint is also exposed but does not trigger the vulnerability. The repository is intended for security testing and demonstration purposes.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-54988, targeting XML External Entity (XXE) vulnerabilities in PDF parsers that support XFA forms. The main script, 'xfa_xxe_poc_gen.py', is a Python tool that generates malicious PDF files containing XFA forms with embedded XXE payloads. It supports two modes: 'file' mode for local file read (e.g., extracting /etc/passwd from the target system), and 'oob' (out-of-band) mode, which leverages an attacker-hosted DTD to exfiltrate file contents to a remote server via HTTP/HTTPS. The script can also generate the necessary DTD file for OOB attacks. The README provides usage instructions and example commands. The repository is structured simply, with one Python exploit script and a README. The exploit is a POC and does not include a customizable payload delivery mechanism beyond the generated PDF and DTD files.