What is CVE-2022-25169?

A medium-severity vulnerability in Apache Tika BPG parser may lead to memory exhaustion on crafted files. Organizations should prioritize remediation to prevent service disruptions.

What is the severity of CVE-2022-25169?

CVE-2022-25169 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2022-25169 | Medium Vulnerability in Apache Tika

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. This vulnerability has been classified with a CVSS score of 5.5, indicating a medium severity. The risk to organizations includes potential denial of service due to memory exhaustion, making it critical for defenders to address this vulnerability promptly.

With a local attack vector and low complexity, exploitation requires user interaction, meaning an attacker must persuade a user to open a crafted file. Organizations should prioritize patching immediately to mitigate the risk associated with this vulnerability.

This vulnerability remains unaddressed in the KEV (Known Exploited Vulnerabilities) catalog, and no public exploit has been confirmed. However, the potential for disruption emphasizes the importance of proactive remediation.

Organizations utilizing affected versions of Apache Tika or Oracle Primavera Unifier should assess their deployments and apply the necessary updates as soon as possible.

Vulnerability Details

The affected versions of Apache Tika are those prior to 1.28.2 and 2.4.0. The vulnerability allows for excessive memory allocation, which can lead to denial of service conditions. The CWE classification for this issue is CWE-770, associated with allocation of resources without limits.

Technical Analysis

The root cause of this vulnerability stems from insufficient validation of inputs in the BPG parser, leading to excessive memory allocation when processing maliciously crafted files. Attackers can exploit this vulnerability locally, requiring no privileges and necessitating user interaction to open the crafted file.

The attack complexity is low, and successful exploitation can severely impact the availability of the application by exhausting memory resources. No confidentiality or integrity impacts are associated with this vulnerability.

Risk & Impact Analysis

The real-world risk posed by this vulnerability is significant, particularly for organizations relying on Apache Tika for file processing. The potential for denial of service due to memory exhaustion could disrupt operations and impact service availability.

Given the medium CVSS score and the fact that it is not currently in the KEV catalog, organizations should still treat it with urgency and plan for remediation in their security patch cycles.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

This vulnerability affects Apache Tika versions prior to 1.28.2 and 2.4.0. Additionally, Oracle Primavera Unifier versions 17.7 through 21.12 are also vulnerable. Organizations running these versions should take immediate action to upgrade.

Mitigation & Remediation

Organizations should review their Apache Tika and Oracle Primavera Unifier deployments for affected versions and apply the latest patches. The recommended versions to upgrade to are Apache Tika 1.28.2 or 2.4.0 and the latest versions of Primavera Unifier. If immediate patching is not possible, consider implementing configuration hardening and network controls to mitigate the risk.

For continuous assessment of security posture, organizations can benefit from engaging in continuous security testing to identify similar weaknesses.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual memory allocation patterns, especially when processing BPG files. Behavioral anomalies during file parsing could indicate an ongoing attack. Network signatures related to file transfer protocols may also provide insights into suspicious activity.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability reflects a broader trend in software where improper resource management can lead to denial of service vulnerabilities. Security teams should prioritize training and awareness to mitigate similar risks in the future. Engaging with expert services can enhance defensive capabilities.

For organizations looking to strengthen their security posture, consider leveraging application security assessments and red teaming services to identify and remediate vulnerabilities proactively.

By adopting a proactive security posture, organizations can mitigate the impact of vulnerabilities such as CVE-2022-25169 and enhance their overall resilience against evolving threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-25169: Medium Vulnerability in Apache Tika