CVE-2025-66516
This Bamboo release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation. The patch for CVE-2025-66516 is being released out of an abundance of caution. This Critical severity DoS (Denial of Service) vulnerability known as CVE-2025-66516 was introduced in 9.6.19 of Bamboo Data Center and Server. This vulnerability with a CVSS Score of 10 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an unauthenticated attacker to take actions which have high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.20 * Bamboo Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.12 * Bamboo Data Center and Server 12.0: Upgrade to a release greater than or equal to 12.0.2 See the release notes. You can download the latest version of Bamboo Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \>= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
EPSS 1.58% · 81.9th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Jira Service Management Server | |
| Atlassian | Jira Software Data Center | |
| Atlassian | Crucible Server | |
| Atlassian | Bamboo Data Center | |
| Atlassian | Fisheye Server | |
| Atlassian | Crowd Data Center | |
| Atlassian | Jira Service Management Data Center | |
| Atlassian | Crowd Server | |
| Atlassian | Jira Software Server | |
| Atlassian | Confluence Data Center | |
| Atlassian | Confluence Server | |
| Atlassian | Bamboo Server |
Timeline
- CVE Published
- Dec 5, 2025 EPSS Score
- Dec 9, 2025 EPSS Score
- Dec 14, 2025 EPSS Score
- Dec 15, 2025 PoC Published
- Dec 18, 2025 EPSS Score
- Dec 27, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 4, 2026 EPSS Score
- Jan 9, 2026 EPSS Score
- Jan 13, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
References
- https://jira.atlassian.com/browse/JSWSERVER-26630 issue
- https://jira.atlassian.com/browse/JSDSERVER-16477 issue
- https://jira.atlassian.com/browse/CWD-6461 issue
- https://jira.atlassian.com/browse/CWD-6445 issue
- https://jira.atlassian.com/browse/CRUC-8671 issue
- https://jira.atlassian.com/browse/CONFSERVER-101872 issue
- https://jira.atlassian.com/browse/CONFSERVER-101788 issue
- https://jira.atlassian.com/browse/BAM-26272 issue