Hi Saravanan, I’m not a Tika maintainer, but I thought I might share what we did to reduce the CVEs reported from dependencies brought in by Tika (maybe the maintainers can chime in on whether this is appropriate to do). We ended up using Maven dependency exclusions for dependencies that were only used for file formats that we knew we wouldn’t encounter in our own use of Tika. For example, we excluded all org.bouncycastle packages in Tika 1.x because it seems to only be used for handling encrypted files, and we don’t use encrypted files in our application.
Thanks, Rajiv From: Saravanan Balakrishnan <[email protected]> Date: Tuesday, April 21, 2026 at 2:43 AM To: [email protected] <[email protected]> Subject: CVE in Tika 3.3 & 3.2.3 Hi Tika Team, Our scan has identified that below CVEs are identified , CVE-2025-14813: This issue affects BC-JAVA: from 1.59 before 1.84. CVE-2026-5598: This issue affects BC-JAVA: from 2.17.3 before 1.84. CVE-2026-0636: This issue affects BC-JAVA: from 1.74 before 1.84. Please check and confirm that these CVEs are affected in Tika 3.2.3 & 3.3.0 as I tried to get the info about the same in Tika jar file could not find any. Thanks for your valuable input and time. Regards, Saravanan B This communication and any information or attachments it contains is confidential and is intended solely for its designated recipient(s). If you received this email in error or are otherwise not the intended recipient, you are requested to notify the sender and permanently delete this message along with any attachments and copies immediately. The dissemination, copying or use of the contents of this communication by or to anyone other than its designated and intended recipient(s) is strictly prohibited and may be unlawful. More information can be found at https://www.cscglobal.com/service/csc/legal. For information about how we use your personal data, including your rights, please see our Privacy Notice and Data Processing Protocol at cscglobal.com/service/csc/privacy.
