Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
Daniel Nashed – 22 September 2025 08:52:18
That's the risk you take when adding external libs to your software: You can be hit by an upstream vulnerability.
In this case Tika has an issue with indexing PDF attachments.
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165
Notes and Domino both run Tika as an external stand-alone Java application where the client or server is talking to it over TCP/IP loopback.
The Tika server is started as the same user then the client/server. On server side this should be usually be a none privileged user.
So the risk for Notes/Domino might be not as high as the original CVE rating.
Still it makes sense to replace Tika if you are indexing databases with attachments in your environment.
There will be a fix provided by HCL. But you can also replace the Tika jar file manually today.
Note: Replacing the Tika server jar will only work with Notes/Domino 14.0+ because the current Tika release will only work with Java 11+.
Notes/Domino introduced Java 17 in version 14.0. Older versions are still running Java 8.
https://tika.apache.org/download.html
Container image
The Domino container project supports replacing Tika at build time.
I have removed previous Tika versions from the software list and added the latest 3.2.3 version this morning.
If you are running the container image, you can just use the -tika option to rebuild your container image with the fixed version of Tika.
Update 26.09.2025:
I had a couple of discussions offline and there is some discussion in the commends of this blog post.
Christian Henserler raised an interesting fine tune option to only exclude PDF instead of adding a whitelist.
You can exclude certain type of attachments to avoid the risk.
notes.ini FT_INDEX_IGNORE_ATTACHMENT_TYPES=*.pdf
https://help.hcl-software.com/domino/14.5.0/admin/modifying_file_attachment_indexing.html
This is specially interested on clients where you can't update quickly and where usually no attachment indexing might be needed.
You can deploy the notes.ini via desktop policy to ensure if someone uses a local FT index with attachment filters, the component in Tika is not invoked.
On the server side my recommendation remains: I would updated to Domino 14.0 or better 14.5 and switch to the newer Tika binary.
Or wait for the upcoming 14.5 FP1 and 14.0 FP5 which both will contain the fixed Tika version.
-- Daniel
- Comments [9]