Hi,
If you're working with a fat jar file and bc isn't included there, then
it doesn't apply to you. If you're working with the individual libraries
then you can set the dependencies. So what remains are fat jars that
include bc.
CVE-2025-14813: this looks like a classic bug, not a security risk IMHO.
However: It doesn't say that data would not be encrypted, although it
doesn't say what would happen if larger data is passed.
CVE-2026-5598: this is a timing issue. Just don't let anyone else on
your machine to get your private key.
CVE-2026-0636: my understanding is that this would be if we run an LDAP
SERVER.
Tilman
Am 21.04.2026 um 08:43 schrieb Saravanan Balakrishnan:
Hi Tika Team,
Our scan has identified that below CVEs are identified ,
CVE-2025-14813: This issue affects BC-JAVA: from 1.59 before 1.84.
CVE-2026-5598: This issue affects BC-JAVA: from 2.17.3 before 1.84.
CVE-2026-0636: This issue affects BC-JAVA: from 1.74 before 1.84.
Please check and confirm that these CVEs are affected in Tika 3.2.3 &
3.3.0 as I tried to get the info about the same in Tika jar file could
not find any.
Thanks for your valuable input and time.
Regards,
Saravanan B
