There is a vulnerability in Tika, which is used in Solr:
https://github.com/advisories/GHSA-f58c-gq56-vjjf
I just released collective.solr 10.1.0 with support for Solr 9.10, which fixes this vulnerability:
1 Like
@tisto How did you determine that solr 9.10 fixes this vulnerability? It appears to include tika-core 1.28.5 and tika-parsers 1.28.5, which are still in the range considered vulnerable.
1 Like
You are correct. I was under the assumption that Solr 9.10 fixes the issue. There is still no release for Solr 9.11 or Solr 10 that fixes that issue. Therefore, the only way to avoid the vulnerability is to upgrade and run Tika separately.
Solr 9.10.1 has been released recently and includes a security change related to SolrCell/Tika:
SOLR-17888: Mitigate CVE-2025-54988 by disabling XFA parsing in PDF documents when using SolrCell extraction
However, based on the release notes, there is no indication that the bundled Tika dependencies were upgraded — this appears to be a mitigation rather than a dependency update.
Since GHSA-f58c-gq56-vjjf describes the same underlying vulnerability but with a broader scope, it is currently unclear whether upgrading to Solr 9.10.1 alone fully addresses all affected scenarios.