Re: CVE-2025-54988 & CVE-2025-66516 - Apache Tika Components' Vulverability.

eertul · ‎10 Dec 2025

We found a lot of tika components under "/opt/dynatrace-binary/elasticsearch/modules/ingest-attachment/" which are affected from CVE-2025-66516.

Our version is 1.312. Is there any mitigation or suggestions?

Thanks.

Erhan.

AntonPineiro · ‎10 Dec 2025

Hi,

If you read this, they recommend to upgrade to version 3.2.2.

Best regards

❤️ Emacs ❤️ Vim ❤️ Bash ❤️ Perl

MaciejNeumann · ‎10 Dec 2025

Hello @eertul,

In this article you'll have all the needed information on how to report a security vulnerability to the Dynatrace:
Report a security vulnerability
If you'll follow all the step from it, you'll get all your questions answered in the support ticket.

As for the both CVE's you've mentioned, I can see already two internal tickets about them. As soon as there will be official communication about them available, you'll be able to see it in this article:
Dynatrace CVE status (Common Vulnerabilities and Exposures)

If you have any questions about the Community, you can contact me at maciej.neumann@dynatrace.com

sujit_k_singh · ‎10 Dec 2025

Hello @eertul,

One of my colleagues faced the same issue in his monitoring project and fixed it by upgrading the Tika components to the higher recommended versions in a lower environment first. After replacing the JARs under /opt/dynatrace-binary/elasticsearch/modules/ingest-attachment/ and restarting the service, the vulnerability scan cleared.
The recommended versions are:

tika-core → 3.2.2 or later
tika-parser-pdf-module → 3.2.2 or later
tika-parsers → 2.0.0 or later

Thanks,

Sujit

Dynatrace Professional Certified