Atlassian Patches Critical Apache Tika Flaw

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws.

The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December.

It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Atlassian products that use Tika include Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The company has released fixes for all six.

The list of critical-severity issues that Atlassian resolved this month also includes CVE-2022-37601 (CVSS score of 9.8), a prototype pollution vulnerability in webpack loader-utils, which is used in Confluence.

Another critical prototype pollution bug was patched in Jira and Jira ...