Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
  1. Security Bulletins
  2. SAS Statement Regarding Apache Tika XXE Vulnerability (CVE-2025-66516)

SAS Statement Regarding Apache Tika XXE Vulnerability
(CVE-2025-66516)

Reference Name: Apache Tika XXE Vulnerability (CVE-2025-66516)
Severity: Critical
Status: Investigation

History

  • 04-02-2026 – Update about SAS® 9.4M8, SAS® 9.4M9, and SAS® Viya® 3.5
  • 1-23-2026 – Update about SAS® 9.4M8
  • 1-20-2026 – Update about SAS® 9.4M8 and SAS® 9.4M9
  • 12-17-2025 – Updated statement
  • 12-11-2025 – Updated statement
  • 12-9-2025 – Initial statement 

Summary

SAS is aware of CVE-2025-66516 and is continuing to investigate the impact of this vulnerability on SAS products. See https://nvd.nist.gov/vuln/detail/CVE-2025-66516 for a more detailed description of this CVE.

SAS® Cloud Solutions

SAS Cloud and Information Services is aware of CVE-2025-66516 and is actively working to ensure that protection capabilities are up to date.

SAS uses comprehensive controls that are implemented on default customer installations to help safeguard each SAS Cloud environment. Even where the affected Apache Tika code is present, its implementation within SAS products and SAS Cloud Solutions might reduce the risk that the vulnerable code paths are reachable or exploitable. The CVSS score provided by Apache does not account for these compensating controls and architectural mitigations that can further reduce practical risk.

Impact

SAS has evaluated that SAS® 9.4 and SAS® Viya® 3.x include a vulnerable version of the Apache Tika component and are affected.

SAS has also evaluated that SAS® Viya® platform customers on Stable 2025.09 or LTS 2025.09 and later releases of SAS Viya are not affected, because they do not use a vulnerable version of the Apache Tika component. Customers on the SAS Viya platform releases of Stable 2025.08 or LTS 2025.03 and earlier are affected and should upgrade to Stable 2025.09 or LTS 2025.09 and later releases for remediation. Instructions for upgrading are available.  

As always, SAS recommends that you keep your SAS deployments up-to-date. The current version of the SAS®9 platform is SAS® 9.4M9 (TS1M9).

Guidance, Activities, and Plans

SAS has provided software updates that remove vulnerable versions of the Apache Tika component.

Both the product hot fixes and the applicable SAS Security Update are required to fully resolve the issue for SAS® 9.4.

Updates to this Bulletin

When SAS has additional news or guidance for this vulnerability and its impact on SAS software and services, we will update this official security bulletin.

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.