SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches Critical Apache Tika Flaw

Atlassian has released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira.
Atlassian

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws.

The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December.

It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Atlassian products that use Tika include Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The company has released fixes for all six.

The list of critical-severity issues that Atlassian resolved this month also includes CVE-2022-37601 (CVSS score of 9.8), a prototype pollution vulnerability in webpack loader-utils, which is used in Confluence.

Advertisement. Scroll to continue reading.

Another critical prototype pollution bug was patched in Jira and Jira Service Management. Tracked as CVE-2021-39227 (CVSS score of 9.8), it affects the lightweight graphic library ZRender.

Atlassian’s fresh round of fixes also resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype pollution, improper authorization, information disclosure, improper input validation, and RCE flaws.

Software updates that fix these defects were released for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management data center and server products.

Because the weaknesses were found in third-party dependencies, they impact all Atlassian products that rely on them.

Users are advised to apply the patches as soon as possible. Additional information on the bugs and their fixes can be found in Atlassian’s December 2025 security advisory.

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Related: Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Related: IBM Patches Over 100 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

Varun Kohli has joined GetReal Security as Chief Marketing Officer.

MongoDB has appointed Doug Bowers as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.