Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
Daniel Nashed – 22 September 2025 08:52:18
That's the risk you take when adding external libs to your software: You can be hit by an upstream vulnerability.
In this case Tika has an issue with indexing PDF attachments.
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165
Notes and Domino both run Tika as an external stand-alone Java application where the client or server is talking to it over TCP/IP loopback.
The Tika server is started as the same user then the client/server. On server side this should be usually be a none privileged user.
So the risk for Notes/Domino might be not as high as the original CVE rating.
Still it makes sense to replace Tika if you are indexing databases with attachments in your environment.
There will be a fix provided by HCL. But you can also replace the Tika jar file manually today.
https://tika.apache.org/download.html
Container image
The Domino container project supports replacing Tika at build time.
I have removed previous Tika versions from the software list and added the latest 3.2.3 version this morning.
If you are running the container image, you can just use the -tika option to rebuild your container image with the fixed version of Tika.
-- Daniel
- Comments [6]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}