Atlassian Patches Critical Apache Tika Vulnerability Affecting Multiple Products

Atlassian has released urgent security updates addressing a critical flaw in Apache Tika, along with nearly 30 other third-party vulnerabilities affecting its software portfolio. The updates cover Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management.

The most severe issue, CVE-2025-66516, carries a CVSS score of 10/10 and is an XML External Entity (XXE) injection vulnerability in Apache Tika. The flaw impacts the tika-core, tika-pdf-module, and tika-parsers components, and can be exploited via specially crafted XFA files embedded in PDFs. Successful exploitation could lead to information disclosure, denial-of-service (DoS), server-side request forgery (SSRF), or remote code execution (RCE).

Atlassian confirmed that all products using Tika, including Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management, have been patched to mitigate the risk.

In addition to the Apache Tika flaw, Atlassian resolved other critical-severity vulnerabilities this month:

• CVE-2022-37601 – A prototype pollution issue in webpack’s loader-utils affecting Confluence (CVSS 9.8).
• CVE-2021-39227 – A prototype pollution vulnerability in the ZRender lightweight graphics library impacting Jira and Jira Service Management (CVSS 9.8).

The update also addresses over two dozen high-severity issues, including DoS, XXE, SSRF, file inclusion, prototype pollution, improper authorization, information disclosure, improper input validation, and RCE vulnerabilities. Because these flaws originate in third-party dependencies, any Atlassian product relying on them may have been exposed.

Atlassian strongly advises users to apply the updates immediately. Detailed information on the vulnerabilities and their fixes is available in Atlassian’s December 2025 security advisory.