Atlassian patches 46 vulnerabilities in December 2025 security bulletin, nine critical Third-Party flaws
Take action: If you use Atlassian products (Jira, Confluence, Bamboo, Bitbucket, Crowd, or Fisheye/Crucible), plan a general update. The December 2025 patch brings a bunch of fixes, including some critical flaws in dependency components.
Learn More
Atlassian has released its December 2025 Security Bulletin patching 46 vulnerabilities in total, including 37 high-severity vulnerabilities and 9 third-party vulnerabilities that have been remediated in recently released versions of Atlassian products.
The most prevalent vulnerability affecting multiple Atlassian products is an XXE (XML External Entity Injection) flaw in the Tika dependency, tracked as CVE-2025-66516 (CVSS score 10.0). Atlassian has clarified that their application of this dependency presents a lower, non-critical assessed risk. This vulnerability impacts Bamboo Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Fisheye/Crucible Server, Jira Software Data Center and Server, and Jira Service Management Data Center and Server.
Additional critical-severity third-party vulnerabilities include CVE-2022-37601 (CVSS score 9.8), a Prototype Pollution vulnerability in the loader-utils dependency affecting Confluence, and CVE-2021-39227 (CVSS score 9.8), a Prototype Pollution vulnerability in the zrender dependency affecting both Jira Software and Jira Service Management platforms.
Among the high-severity vulnerabilities addressed in this bulletin are several denial-of-service flaws, remote code execution vulnerabilities, and server-side request forgery issues including CVE-2024-29415 (CVSS score 8.1), an SSRF vulnerability in Confluence Data Center and Server, CVE-2016-1181 (CVSS score 8.1), a Remote Code Execution vulnerability affecting both Jira Software and Jira Service Management, and CVE-2025-54988 (CVSS score 8.4), an XXE vulnerability in Jira platforms. Multiple DoS vulnerabilities have been identified across various dependencies including org.apache.tomcat components, io.netty libraries, jackson-databind, and other third-party packages. Additional vulnerabilities include improper authorization issues in spring-security-core dependency tracked as CVE-2025-41248 (CVSS score 7.5), prototype pollution flaws, and information disclosure vulnerabilities.
Affected products span Atlassian's entire enterprise software suite:
- Bamboo Data Center and Server versions from 9.6.1 through 12.0.1 should be updated to fixed versions including 12.0.2, 10.2.12 (LTS), or 9.6.20 (LTS).
- Confluence Data Center and Server versions ranging from 7.19.18 through 10.2.0 should be updated to 10.2.1 (LTS), 9.2.12 (LTS), or 8.5.30 (LTS).
- Jira Software and Jira Service Management installations running versions from 9.12.1 through 11.2.1 should be updated to version 11.3.0 (LTS) or 10.3.15 (LTS).
- Crowd Data Center and Server versions from 5.1.7 through 7.1.1 should be updated to version 7.1.2.
- Bitbucket Data Center and Server versions 8.18.0 through 9.1.1 should be updated to versions ranging from 8.19.25 through 10.1.3
- Fisheye/Crucible versions 4.8.14 through 4.9.5 should be updated to version 4.9.6.
Atlassian strongly recommends that organizations patch their instances to the latest version or one of the designated fixed versions. Organizations using unsupported versions are advised to upgrade to the latest version or a Long-Term Support (LTS) version. Users can verify their current product versions and check for disclosed vulnerabilities through Atlassian's Vulnerability Disclosure Portal at https://confluence.atlassian.com/security.
