Attackers can exploit several security vulnerabilities to attack computers running Apache HTTP Server or Tika. The descriptions of the vulnerabilities suggest that attackers could compromise systems in the worst-case scenario.

Tika is used to extract metadata from documents. HTTP Server is a widely used web server. Especially in the latter case, successful attacks can have far-reaching consequences if attackers gain control of servers.

Multiple Security Issues

In a warning message for HTTP Server, the developers list five closed vulnerabilities. The classification of the threat levels is apparently still pending. The emergency team CERT Bund of the Federal Office for Information Security (BSI) classifies the danger as "critical".

Among other things, memory errors can occur in the context of ACME certificates (CVE-2025-55753). This typically leads to crashes (DoS attack) or can even allow malicious code to enter systems. This vulnerability was reported in August of this year. However, a security update is only available now. So far, there are no reports that attackers are already exploiting the vulnerability. The developers state that they have closed the security vulnerabilities in HTTP Server 2.4.66.

Tika is vulnerable to a "critical" flaw (CVE-2025-54988). The vulnerability is rated with the maximum CVSS score of 10 out of 10. In this case, attackers can trick victims into processing a prepared PDF file, which triggers errors. This leads to DoS conditions but can also leak information. The version 3.2.2 is said to be equipped to handle this. For the protection to take effect, users must ensure that tika-parser-pdf-module and upgrade tika-core are up to date.

(des)

Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.