Managed Search
Looking to scale Solr without the complexity?
Let Managed Search boost your efficiency.
Managed Search
Need hassle-free Solr performance?
Meet Managed Search.
Learn More
Search
Schedule A Demo
Managed Search
Looking to scale Solr without the complexity?
Let Managed Search boost your efficiency.
Managed Search
Need hassle-free Solr performance?
Meet Managed Search.
Learn More
Menu Bar
Close
Solr vulnerability detected, announcement for Managed Search

December 19, 2025

Dipsy Kapoor

|

2 min. read

A new Solr vulnerability has been recently identified. Below we provide the information readily available and the recommended mitigation measures.

This blog’s content will be updated as new mitigation options become available within the SearchStax platform.

The vulnerability has been assigned a 10.0 (Critical) CVSS score and is being tracked as CVE-2025-66516.

Does CVE-2025-66516 affect Site Search?

No.

Site Search does not use the Solr Extraction Module or Apache Tika and therefore, is not vulnerable to CVE-2025-66516.

Does CVE-2025-66516 affect Serverless?

No.

SearchStax Serverless does not enable the Solr Extraction Module and does not expose the /update/extract handler. In addition:

  • Untrusted access is not permitted.
  • All endpoints are protected using token-based authentication.

 

As a result, Serverless is not vulnerable to CVE-2025-66516.

Does CVE-2025-66516 affect Managed Search customers?

Potentially, in limited cases.

By default, SearchStax does not allow untrusted access to manage Solr configuration files. However:

  • Managed Search customers can explicitly enable the Solr Extraction Module in their configurations.
  • If a customer enables the extraction handler and allows untrusted access, they could be vulnerable.

 

Apache Solr recommends disabling XFA form parsing in PDFs to mitigate this issue, as described here:
https://solr.apache.org/security.html#cve-2025-66516-apache-solr-extraction-module-vulnerable-to-xxe-attacks-via-xfa-content-in-pdfs

SearchStax strongly recommends that any customers using the extraction handler:

  • Disable XFA form parsing in their Solr configuration.
  • Ensure appropriate security controls are in place to prevent untrusted access.

SearchStax Mitigations & Forward Plan

  • For new Solr deployments starting January 10, 2026, SearchStax will mitigate this vulnerability by not installing Tika JARs by default.
  • Customers who wish to use the extraction module must:
    • Explicitly contact SearchStax Support.
    • Confirm they have disabled XFA form parsing.
    • Demonstrate that sufficient security controls are implemented.

 

SearchStax plans to release Solr 9.10.1 in early January 2026, which will further address this vulnerability.

By Dipsy Kapoor

VP, Engineering

Get Our Newsletter

The Stack is delivered bi-monthly with industry trends, insights, products and more

You might also like: