Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-25169

CVE-2022-25169: Apache Tika DOS Vulnerability

CVE-2022-25169 is a denial of service flaw in Apache Tika where the BPG parser allocates excessive memory on crafted files. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2022-25169 Overview

CVE-2022-25169 is a Resource Exhaustion vulnerability affecting Apache Tika, a content analysis toolkit widely used for detecting and extracting metadata and text from various file formats. The vulnerability exists in the BPG (Better Portable Graphics) parser component, which can be tricked into allocating an unreasonable amount of memory when processing specially crafted BPG files.

Critical Impact

Attackers can craft malicious BPG files that trigger excessive memory allocation in the Apache Tika BPG parser, leading to denial of service conditions through memory exhaustion.

Affected Products

  • Apache Tika versions before 1.28.2
  • Apache Tika versions before 2.4.0
  • Oracle Primavera Unifier versions 18.8, 19.12, 20.12, 21.12

Discovery Timeline

  • May 16, 2022 - CVE-2022-25169 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2022-25169

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The BPG parser in Apache Tika fails to properly validate or limit memory allocation when processing input files. When a user or application processes a maliciously crafted BPG file through Tika, the parser attempts to allocate memory based on values specified within the file structure without implementing appropriate bounds checking.

The attack requires local access and user interaction, meaning an attacker would need to deliver a malicious BPG file to a victim who then processes it using an application that leverages Apache Tika for content analysis. This could occur in document management systems, content indexing services, or any application utilizing Tika for file parsing.

Root Cause

The root cause of CVE-2022-25169 lies in insufficient input validation within the BPG parser component. The parser reads size or dimension parameters from the BPG file headers and uses these values to determine memory allocation without implementing proper upper-bound limits. Attackers can specify extremely large values in these parameters, causing the parser to attempt allocating excessive memory that can exhaust available system resources.

Attack Vector

The attack vector for this vulnerability requires local access with user interaction. An attacker must craft a malicious BPG file containing manipulated header values that specify unreasonably large memory requirements. The attack sequence involves:

  1. The attacker creates a specially crafted BPG file with manipulated size parameters in the file header
  2. The malicious file is delivered to a target system through various means (email attachment, file upload, shared storage)
  3. When a user or automated process attempts to analyze the file using Apache Tika, the BPG parser reads the malicious parameters
  4. The parser attempts to allocate memory based on the crafted values without proper validation
  5. System memory becomes exhausted, resulting in denial of service affecting the application and potentially the entire system

Detection Methods for CVE-2022-25169

Indicators of Compromise

  • Unexpected memory consumption spikes when processing BPG image files
  • Application crashes or out-of-memory errors during Tika content analysis operations
  • BPG files with anomalously large dimension values in file headers
  • System performance degradation correlating with document processing activities

Detection Strategies

  • Monitor Java heap memory usage for applications utilizing Apache Tika libraries
  • Implement file type validation to identify BPG files before processing
  • Configure application-level memory limits and alerting thresholds
  • Review logs for OutOfMemoryError exceptions in Tika parsing contexts

Monitoring Recommendations

  • Set up resource monitoring for services running Apache Tika to detect unusual memory allocation patterns
  • Configure heap dump collection on memory threshold violations for forensic analysis
  • Implement file integrity monitoring on document processing queues to identify suspicious BPG files
  • Monitor for repeated processing failures that could indicate exploitation attempts

How to Mitigate CVE-2022-25169

Immediate Actions Required

  • Upgrade Apache Tika to version 1.28.2 or later for the 1.x branch
  • Upgrade Apache Tika to version 2.4.0 or later for the 2.x branch
  • Apply Oracle's Critical Patch Update from July 2022 for affected Primavera Unifier deployments
  • Implement memory limits and resource constraints for document processing services

Patch Information

Apache has released patched versions that address this memory exhaustion vulnerability. Users should upgrade to Apache Tika 1.28.2 or 2.4.0 depending on their deployment branch. Oracle has included fixes in their July 2022 Critical Patch Update for affected Primavera Unifier versions. For detailed patch information, refer to the Apache Mailing List Thread, the Oracle Critical Patch Update, or the NetApp Security Advisory.

Workarounds

  • Disable BPG file parsing if not required by configuring Tika's parser exclusions
  • Implement strict file type allowlisting to prevent processing of BPG files
  • Configure JVM memory limits (-Xmx) to contain potential memory exhaustion to the application level
  • Deploy document processing in isolated containers with resource quotas to limit blast radius
bash
# Configuration example - JVM memory limits for Tika applications
# Set maximum heap size to prevent system-wide memory exhaustion
java -Xmx512m -jar tika-app.jar --config tika-config.xml

# Example Tika configuration to exclude BPG parser (tika-config.xml)
# Disable BPG parsing if not required for your use case

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne