SAS Statement Regarding Apache Tika XXE Vulnerability
(CVE-2025-66516)

Reference Name: Apache Tika XXE Vulnerability (CVE-2025-66516)
Severity: Critical
Status: Investigation

History

• 1-23-2026 – Update about SAS® 9.4M8
• 1-20-2026 – Update about SAS® 9.4M8 and SAS® 9.4M9
• 12-17-2025 – Updated statement
• 12-11-2025 – Updated statement
• 12-9-2025 – Initial statement 

Summary

SAS is aware of CVE-2025-66516 and is continuing to investigate the impact of this vulnerability on SAS products. See https://nvd.nist.gov/vuln/detail/CVE-2025-66516 for a more detailed description of this CVE.

SAS® Cloud Solutions

SAS Cloud and Information Services is aware of CVE-2025-66516 and is actively working to ensure that protection capabilities are up to date.

SAS uses comprehensive controls that are implemented on default customer installations to help safeguard each SAS Cloud environment. Even where the affected Apache Tika code is present, its implementation within SAS products and SAS Cloud Solutions might reduce the risk that the vulnerable code paths are reachable or exploitable. The CVSS score provided by Apache does not account for these compensating controls and architectural mitigations that can further reduce practical risk.

Impact

SAS has evaluated that SAS® 9.4 and SAS® Viya® 3.x include a vulnerable version of the Apache Tika component and are affected.

SAS has also evaluated that SAS® Viya® platform customers on Stable 2025.09 or LTS 2025.09 and later releases of SAS Viya are not affected, because they do not use a vulnerable version of the Apache Tika component. Customers on the SAS Viya platform releases of Stable 2025.08 or LTS 2025.03 and earlier are affected and should upgrade to Stable 2025.09 or LTS 2025.09 and later releases for remediation. Instructions for upgrading are available.  

As always, SAS recommends that you keep your SAS deployments up-to-date. The current version of the SAS®9 platform is SAS® 9.4M9 (TS1M9).

Guidance, Activities, and Plans

SAS has provided a software update for SAS 9.4M8 that removes vulnerable versions of the Apache Tika component. For details and access to the updates, see SAS KB0043911 and SAS Security Update for SAS® 9.4M8 (TS1M8). Both the product hot fixes and the SAS Security Update for SAS 9.4M8 are needed to fully resolve the issue.

SAS intends to provide a software update that removes vulnerable versions of the Apache Tika component from SAS 9.4M9 and supported versions of SAS Viya 3.x. This bulletin will be updated when the software update is available. At this time, the estimated release date for the software updates for SAS 9.4M9 and SAS Viya 3.x is Q1 2026.

SAS Viya 3.x customers who are impacted can choose to enable configurations that remediate the risk but impact feature functionality. Contact Technical Support for instructions for such remediations.

Updates to this Bulletin

When SAS has additional news or guidance for this vulnerability and its impact on SAS software and services, we will update this official security bulletin.

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.