Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
Daniel Nashed – 22 September 2025 08:52:18
That's the risk you take when adding external libs to your software: You can be hit by an upstream vulnerability.
In this case Tika has an issue with indexing PDF attachments.
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165
Notes and Domino both run Tika as an external stand-alone Java application where the client or server is talking to it over TCP/IP loopback.
The Tika server is started as the same user then the client/server. On server side this should be usually be a none privileged user.
So the risk for Notes/Domino might be not as high as the original CVE rating.
Still it makes sense to replace Tika if you are indexing databases with attachments in your environment.
There will be a fix provided by HCL. But you can also replace the Tika jar file manually today.
Note: Replacing the Tika server jar will only work with Notes/Domino 14.0+ because the current Tika release will only work with Java 11+.
Notes/Domino introduced Java 17 in version 14.0. Older versions are still running Java 8.
https://tika.apache.org/download.html
Container image
The Domino container project supports replacing Tika at build time.
I have removed previous Tika versions from the software list and added the latest 3.2.3 version this morning.
If you are running the container image, you can just use the -tika option to rebuild your container image with the fixed version of Tika.
Update 26.09.2025:
I had a couple of discussions offline and there is some discussion in the commends of this blog post.
Christian Henserler raised an interesting fine tune option to only exclude PDF instead of adding a whitelist.
You can exclude certain type of attachments to avoid the risk.
notes.ini FT_INDEX_IGNORE_ATTACHMENT_TYPES=*.pdf
https://help.hcl-software.com/domino/14.5.0/admin/modifying_file_attachment_indexing.html
This is specially interested on clients where you can't update quickly and where usually no attachment indexing might be needed.
You can deploy the notes.ini via desktop policy to ensure if someone uses a local FT index with attachment filters, the component in Tika is not invoked.
On the server side my recommendation remains: I would updated to Domino 14.0 or better 14.5 and switch to the newer Tika binary.
Or wait for the upcoming 14.5 FP1 and 14.0 FP5 which both will contain the fixed Tika version.
-- Daniel
- Comments [9]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}
1Christian Henseler 22.09.2025 14:21:13 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
another mitigation (for server & client):
FT_INDEX_IGNORE_ATTACHMENT_TYPE=*.pdf
2Daniel Nashed 22.09.2025 17:08:19 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
@Christian Henseler,
that's listed in the original technote, but why would we want to disable FT index for PDFs and later have to rebuild the index, if we can just replace the Tika binary.
3Christian Henseler 22.09.2025 19:20:05 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
Exchanging/updating a TIKA Jar-File might be a easy task in a small Developer's environment, but when thinking about large enterprise environments with > 100.000 Clients and hundreds of dislocated servers around the world, it's easier to mitigate the security risk by disabling PDF indexing and deploy a hopefully near future Fix using Auto Install (on the server side).
Exchanging a jar file in a small Developer's environment might be a small task, but in Enterprise environments with service providers bound to legal regulation, where such nice thing like clean source processes, testing, Changes, etc... come into play, it might not be the best idea to lower the actual risk for customers one is responsible for as service provider.
And beside this, in the original technote is a notes.ini parameter listed, that is not the best choice for mitigation, because you have to actively white list all kind of attachments, you still want to be indexed. With the parameter I've mentioned, you simply black list the affected attachment type, *.pdf, as simple as it is.
4Christian Henseler 22.09.2025 19:29:29 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
and, I've asked the same questions once ago with a similar post:
Is your way of exchanging a file not provided by HCL in a defined Notes or Domino installation officially supported by HCL?
If this is the best way to get rid of the security issue, why is HCL not recommending it?
Does HCL officially support a Notes 12.0.2 32-Bit Client or Domino 12.0.2FPx 64 Bit installation with tika-server 3.2.2 oder 3.2.3?
As Notes/Domino 11 is still supported by Extended Support, do you recommend tika-server 3.2.2 for Notes/Domino 11.0.1 oder tika-server 3.2.3?
As soon as you have to obey official support agreements, it's not that easy to simply change a file.
5Michal Szuniewicz 22.09.2025 22:14:01 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
@Christian Henseler
I think that the notes.ini you really meant should be:
FT_INDEX_IGNORE_ATTACHMENT_TYPES=*.pdf
so the name of this notes.ini parameter is plural _TYPES (not _TYPE)
Though I have not tested it yet.
6Michal Szuniewicz 22.09.2025 22:14:48 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
@Christian Henseler
I think that the notes.ini you really meant should be:
FT_INDEX_IGNORE_ATTACHMENT_TYPES=*.pdf
so the name of this notes.ini parameter is plural _TYPES (not _TYPE)
Though I have not tested it yet.
7Christian Henseler 23.09.2025 15:42:04 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
@Michal Szuniewicz
Yes, you are right, sorry for the typo/missing "s"
Because it's an pretty old notes.ini parameter introduced - back in R5.0.x days - long before Tika was in place, I've tested it and it is still working.
8Kevin Ahrens 24.09.2025 15:47:29 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
Hi Daniel,
we tried replacing the Tika jar in the program directory manually in our staging environment but encountered an error after starting the domino server:
"Ausnahmebedingung in Thread "main" java.lang.UnsupportedClassVersionError: JVMCFRE199E fehlerhafte Hauptversion 55.0 von class=org/apache/tika/server/core/TikaServerCli, die maximal unterstützte Hauptversion ist 52.0; offset=6"
Maybe this is special to our environment because it worked for you? We tested tika 3.2.2 and 3.2.3 on domino 12.0.2FP5HF9
Seems like we will have to wait until an official HCL fix is out and will use the notes.ini settings provided in the comments to filter pdfs.
9Darren Duke 25.09.2025 15:01:20 Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
@Kevin, the "replace the JAR file" fix only works in versions 14+. As you're on 12, you'll need to do the ini fix.