Apache Tika Vulnerabilities CVE-2022-25169 and CVE-2022-30126 

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID



Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions





The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

These functions are not used by brXM in its default configuration, but they could be enabled by customizations within project code. This is unlikely, and the risk is mitigated by the fact that uploads of vulnerable payloads are likely possible only by trusted content editors.


Update to the latest version.