HCL published the Security Bulletin: HCL Connections is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988) that Connections is also vulnerable for CVE-2025-54988!
I tested the attack described in the CVE and the Apache Tika announcement. The Tika process extracts files content uploaded to Connections, so the search can index it.
The issue allows an attacker to add any file from the server to the extracted content.
- This is not a major concern when your WebSphere processes run as a non-root user (recommended)
- To demonstrate the issue, I added
/etc/passwdto an uploaded file- After the index process finished, I was able to search for known users in Connections search
- This allowed me to deduce which services are installed on the server
As you can see, if this is a dedicated WebSphere server and the process is not running as root, the attack surface is very limited.
The XXE can also be used to make a web request that includes file content from the server.
- This can leak the content of a file to a web service
- If your WebSphere service is running as non-root, system files accessible only to root cannot be leaked
- However, all Connections data that is accessible to the user running WebSphere can be compromised
/opt/HCL/Connections/cfg.pycontains the password ofconnectionsAdminand database users, only XORed with_
So if your server has internet access and the attacker can guess the file path, they can obtain (for example) reversible password hashes for the Connections admin user and the database.
You need to weigh up whether your server is at risk or whether you can wait for an official fix.
A possible workaround is to disable PDF mimeType in search-config.xml.
Delete the line and restart search application.
I assume that you will need to rebuild your complete index when a fix is available, as there is no task to reextract file content.
