Security Bulletin - December 11 2025

Security Advisories & Bulletins

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

December 2025 Security Bulletin

The vulnerabilities reported in this Security Bulletin include 37 high-severity vulnerabilities and 9 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month.

CVEs reported in monthly Security Bulletins have been assessed as presenting a non-critical risk to Atlassian customers. Atlassian issues Critical Security Advisories for vulnerabilities that pose an immediate critical risk based on how our products actually use the affected components outside of our monthly Security Bulletin schedule as necessary.

Vulnerabilities are discovered through our Bug Bounty program, pen-testing processes, and third-party library scans.

INSTRUCTIONS

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of publication, [date]; visit the linked product Release Notes for the most up-to-date versions.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Released Security Vulnerabilities
Product & Release NotesAffected VersionsFixed VersionVulnerability SummaryCVE IDCVSS Severity
Bamboo Data Center and Server
  • 12.0.1
  • 10.2.0 to 10.2.11 (LTS)
  • 9.6.1 to 9.6.19 (LTS)
  • 12.0.2 Data Center Only
  • 10.2.12 (LTS) recommended Data Center Only
  • 9.6.20 (LTS) Data Center Only
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Bamboo Data Center and ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Bamboo dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

DoS (Denial of Service) org.apache.tomcat:tomcat-util Dependency Vulnerability in Bamboo Data Center and ServerCVE-2025-524347.5 High
Bitbucket Data Center and Server
  • 9.1.0 to 9.1.1
  • 9.0.1
  • 8.19.0 to 8.19.24 (LTS)
  • 8.18.0 to 8.18.1
  • 10.1.1 to 10.1.3 Data Center Only
  • 10.0.0 to 10.0.2 Data Center Only
  • 9.4.0 to 9.4.15 (LTS) recommended Data Center Only
  • 8.19.25 to 8.19.26 (LTS) Data Center Only
DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Bitbucket Data Center and ServerCVE-2024-72548.7 High
Confluence Data Center and Server
  • 10.2.0 (LTS)
  • 10.1.0 to 10.1.2
  • 10.0.2 to 10.0.3
  • 9.5.1 to 9.5.4
  • 9.4.0 to 9.4.1
  • 9.3.1 to 9.3.2
  • 9.2.0 to 9.2.11 (LTS)
  • 9.1.0 to 9.1.1
  • 9.0.1 to 9.0.3
  • 8.9.0 to 8.9.8
  • 8.8.0 to 8.8.1
  • 8.5.5 to 8.5.29 (LTS)
  • 7.19.18 to 7.19.30 (LTS)
  • 10.2.1 (LTS) recommended Data Center Only
  • 9.2.12 (LTS) Data Center Only
  • 8.5.30 (LTS)
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Confluence Data Center and ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

Prototype Pollution loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-37601

9.8 Critical

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

SSRF (Server-Side Request Forgery) in Confluence Data Center and ServerCVE-2024-294158.1 High
File Inclusion tar-fs Dependency in Confluence Data Center and ServerCVE-2024-129057.5 High
DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-375997.5 High
DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-376037.5 High
Crowd Data Center and Server
  • 7.1.0 to 7.1.1
  • 7.0.0 to 7.0.2
  • 6.3.0 to 6.3.3
  • 6.2.0 to 6.2.6
  • 6.1.0 to 6.1.7
  • 6.0.0 to 6.0.10
  • 5.3.0 to 5.3.8
  • 5.2.2 to 5.2.11
  • 5.1.7 to 5.1.13
  • 7.1.2 recommended Data Center Only
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-core Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-529998.7 High
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-551638.2 High
Improper Authorization org.springframework.security:spring-security-core Dependency in Crowd Data CenterCVE-2025-412487.5 High
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-489897.5 High
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency Vulnerability in Crowd Data Center CVE-2020-365187.5 High
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2021-468777.5 High
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2022-420047.5 High
Information Disclosure com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2024-130097.2 High
Fisheye/Crucible
  • 4.9.0 to 4.9.5
  • 4.8.14 to 4.8.16
  • 4.9.6 recommended
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Crucible Server and Fisheye ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Fisheye/Crucible dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

Improper Input Validation in MSSQL JDBC driver in Crucible Server and Fisheye ServerCVE-2025-592508.1 High
Jira Data Center and Server
  • 11.2.0 to 11.2.1
  • 11.1.0 to 11.1.1
  • 11.0.0 to 11.0.1
  • 10.3.0 to 10.3.14 (LTS)
  • 9.12.1 to 9.12.30 (LTS)
  • 11.3.0 (LTS) recommended Data Center Only
  • 10.3.15 (LTS) Data Center Only
XXE (XML External Entity Injection) Tika Dependency in Jira Software Data Center and ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

Prototype Pollution zrender Dependency in Jira Software Data Center and ServerCVE-2021-39227

9.8 Critical

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

XXE (XML External Entity Injection) in Jira Software Data Center and ServerCVE-2025-549888.4 High
DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Software Data Center and ServerCVE-2016-11828.2 High
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Software Data Center and ServerCVE-2025-551638.2 High
RCE (Remote Code Execution) in Jira Software Data Center and ServerCVE-2016-11818.1 High
SSRF (Server Side Request Forgery) axios Dependency in Jira Software Data Center and ServerCVE-2025-271527.7 High
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and ServerCVE-2025-412487.5 High
DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Jira Software Data Center and ServerCVE-2025-489767.5 High
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and ServerCVE-2024-216347.5 High
DoS (Denial of Service) minimatch Dependency in Jira Software Data Center and ServerCVE-2022-35177.5 High
DoS (Denial of Service) axios Dependency in Jira Software Data Center and ServerCVE-2025-587547.5 High
XXE (XML External Entity Injection) in Jira Software Data Center and ServerCVE-2023-497357.5 High
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency Vulnerability in Jira Software Data Center and ServerCVE-2022-456937.5 High
Prototype Pollution loadash.pick Dependency Vulnerability in Jira Software Data Center and ServerCVE-2020-82037.4 High
Jira Service Management Data Center and Server
  • 11.2.0 to 11.2.1
  • 11.1.0 to 11.1.1
  • 11.0.0 to 11.0.1
  • 10.3.0 to 10.3.14 (LTS)
  • 11.3.0 (LTS) recommended Data Center Only
  • 10.3.15 (LTS) Data Center Only
XXE (XML External Entity Injection) Tika Dependency in Jira Service Management Data Center and ServerCVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

Prototype Pollution zrender Dependency in Jira Service Management Data Center and ServerCVE-2021-39227

9.8 Critical

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

XXE (XML External Entity Injection) in Jira Service Management Data Center and ServerCVE-2025-549888.4 High
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Service Management Data Center and ServerCVE-2025-551638.2 High
DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Service Management Data Center and ServerCVE-2016-11828.2 High
RCE (Remote Code Execution) in Jira Service Management Data Center and ServerCVE-2016-11818.1 High
XXE (XML External Entity Injection) in Jira Service Management Data Center and ServerCVE-2023-497357.5 High
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Service Management Data Center and ServerCVE-2025-412487.5 High
DoS (Denial of Service) minimatch Dependency in Jira Service Management Data Center and ServerCVE-2022-35177.5 High
DoS (Denial of Service) axios Dependency in Jira Service Management Data Center and ServerCVE-2025-587547.5 High
Prototype Pollution loadash.pick Dependency Vulnerability in Jira Service Management Data Center and ServerCVE-2020-82037.4 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.

  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Dec 11, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.