Executive Summary- Action Required
Apache Software Foundation has issued critical severity vulnerabilities CVE-2025-54988 and CVE-2025-66516 impacting multiple versions of Apache Tika (tika-parser-pdf-module, tika-core, and tika-parsers). Pega is making hotfixes and patches available for the latest affected patch releases. We strongly advise clients to apply the hotfix or patch releases Pega has made available.
-
This vulnerability can affect Pega clients running on releases 7.x through 24.2.2 of Pega Infinity. We are not aware of any of our clients being compromised because of this vulnerability.
To prevent malicious actors from exploiting this vulnerability, Pega has created the following remediations which replace the potentially vulnerable Apache Tika libraries with corrected versions. A hotfix is available for the latest affected patch release 23.1.5 and 24.1.3. Patch release remediation is listed below.
|
Advisory |
Description |
Impact |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|---|
|
Apache Tika Vulnerability |
Improper Restriction of XML External Entity Reference |
An XXE, or XML External Entity, attack is a security vulnerability that allows an attacker to interfere with an application's processing of XML data by injecting malicious XML entities. XXE vulnerabilities occur when an application uses a misconfigured or outdated XML parser that doesn't properly disable support for external entities.
|
24.1.4 Patch Release (Targeted for Jan ‘26) 24.2.3 Patch Release 25.1.0 Release Deploy the Search and Reporting Service (SRS) image version 1.42.1 or higher.
|
24.1.3 - HFIX-C4044 23.1.5 - HFIX-C4043 |
Dates for all upcoming Infinity patch releases can be found here: Pega Infinity Patch Calendar.
Impact
An XXE, or XML External Entity, attack is a security vulnerability that allows an attacker to interfere with an application's processing of XML data by injecting malicious XML entities. XXE vulnerabilities occur when an application uses a misconfigured or outdated XML parser that doesn't properly disable support for external entities.
Issue Details
|
Issue Details |
Issue: Improper Access Control |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 7.x to 22.2.2 |
| CVE ID | CVE-2025-54988 and CVE-2025-66516 |
|
CVSS Rating (CVSS 4.0) |
Critical – 9.8 and 10.0 |
|
Description |
Improper Restriction of XML External Entity Reference |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is needed after hotfix installation. We will not provide hotfixes on prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
For questions, submit a Support ticket through My Support Portal.