CVE-2025-66516 Critical Vulnerability found on Apache Tika (used in CF )

Report · Dec 10, 2025

Did anyone hear anything from CF Team about this ? https://www.cve.org/CVERecord?id=CVE-2025-66516

Resolution suggests updating files to version 3.2.2 from 1.2.x found in CF.

Posting here as its flagged critical ? is anyone else also seeing this.

Report · Dec 10, 2025

You will of course want to hear from Adobe about this. Until then, I can offer some thoughts.

1) Since you do specifically ask "did anyone hear anything from CF Team about this", I will say that "no, I've not heard anything from them about this", FWIW.

2) Perhaps as important, I can report also that after the updates yesterday (to CF2025, 2023, and 2021), the version of the tika-core-*.jar files are still in the 1.x version rather than the 3.x that the CVE vuln report calls for.

As such, it seems (on the surface, at least) that "CF is vulnerable".

2a) Often with such things, it's not so clear that the vuln is easily exploited--indeed at all. Sometimes the way a vuln in some java library exists is one that would be difficult or even impossible to exploit in CF.

Still, sec folks don't care about that: they will regard it as a vuln merely for the library not being updated.

3) And so, rather than wait for Adobe to respond here, you should reach out first to the CF team by email at cfsup@adobe.com. And then because it's a security issue (seemingly "critical"), you could/should also report it to the Adobe PSIRT address, psirt@adobe.com. They would assess the significance and may press the cf team to attend to the matter depending on that assessment. For more on the Adobe product security incident response team (PSIRT) , see https://helpx.adobe.com/security.html.

4) Finally, I will note that a lamentable situation (with CF) is that even if a new CF update were to come out that DID update the affected libraries, note that the replaced ones would REMAIN within the CF instance, in the cfusion/cf-updates folder for the CF update that was applied, in its "backup" folder. Only if you remove (or perhaps zip up) that file willl your security scanners stop complaining.

But beware that in doing that, you now made it that any uninstall of that CF update will fail or could leave some functionality failing to work as expected because of the inability of CF to put that version of the library back in place...and it may be that a given update level of CF *must* run with that older library version. (We can't just go updating or downgrading jars ourselves, if CF relies upon them.)

Hope that's helpful, and better than the lack of any response so far.

/Charlie (troubleshooter, carehart. org)

Report · Dec 10, 2025

I was trying to replace the existing vulnerable Tika files with newer versions.

There is one issue: the equivalent for tika-core-1.21.jar does exist — tika-core-3.2.3.jar — and replacing it appears to work correctly.
However, the other file, tika-parsers-1.21.jar, no longer has a direct equivalent because it has been split and refactored into many separate JARs in modern Tika releases.

We are currently waiting to hear back from ColdFusion support regarding how they recommend handling this.