Homepage

Resource Exhaustion Affecting apache-tika-3.1-compat package, versions <3.1.0-r1

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.12% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Resource Exhaustion vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-APACHETIKA31COMPAT-15368064
  • published3 Mar 2026
  • disclosed15 Jul 2025
Report a new vulnerability Found a mistake?

Introduced: 15 Jul 2025

CVE-2025-48795  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade Minimos:latest apache-tika-3.1-compat to version 3.1.0-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream apache-tika-3.1-compat package and not the apache-tika-3.1-compat package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.

Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.