Homepage

XML External Entity (XXE) Injection Affecting elasticsearch-9.1 package, versions <9.1.4-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.06% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-ELASTICSEARCH91-13313336
  • published6 Oct 2025
  • disclosed20 Aug 2025
Report a new vulnerability Found a mistake?

Introduced: 20 Aug 2025

CVE-2025-54988  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Minimos:latest elasticsearch-9.1 to version 9.1.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream elasticsearch-9.1 package and not the elasticsearch-9.1 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.