Atlassian has released its May 2025 Security Bulletin, disclosing eight high-severity vulnerabilities affecting multiple Data Center and Server products.
The security flaws, discovered through the company’s Bug Bounty program, penetration testing, and third-party library scans, could expose enterprise systems to denial-of-service attacks and privilege escalation exploits if left unpatched.
The bulletin highlights several critical dependencies containing exploitable flaws across Atlassian’s product line. Four distinct denial-of-service vulnerabilities with CVSS scores of 7.5 (High) affect key enterprise solutions.
.png
)
Bamboo and Confluence Data Center installations are vulnerable to CVE-2025-31650, a flaw in Apache Tomcat’s tomcat-coyote dependency.
This vulnerability stems from improper input validation when handling HTTP/2 priority headers, causing memory leaks that can trigger OutOfMemoryExceptions.
When exploited, an unauthenticated attacker can send malformed requests that exhaust server resources and crash the application.
Similarly, Confluence Data Center faces additional risk from CVE-2024-47072, a vulnerability in the XStream library that allows remote attackers to cause denial-of-service conditions through stack overflow errors.
According to the security bulletin, attackers can manipulate the processed input stream when XStream is configured to use the BinaryStreamDriver.
Fisheye/Crucible version 4.9.0 contains CVE-2024-57699, a vulnerability in the json-smart dependency that enables attackers to cause stack exhaustion by processing specially crafted JSON inputs containing large numbers of ‘{‘ characters.
Jira Software and Jira Service Management products are affected by CVE-2025-24970, a flaw in Netty’s SslHandler component.
When specially crafted SSL/TLS packets are received, validation processes fail, potentially triggering a native crash.
Privilege Escalation Flaw Threatens Jira Products
Beyond denial-of-service issues, Atlassian disclosed a privilege escalation vulnerability (CVE-2025-22157) with a CVSS score of 7.2 affecting Jira Core and Jira Service Management Data Center products.
This vulnerability allows attackers to perform unauthorized actions as higher-privileged users, potentially compromising system integrity and confidentiality.
The vulnerability impacts multiple versions, including 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of both Jira Core and Jira Service Management Data Center installations.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-31650 | Bamboo Data Center/Server (v11.0.0–11.0.1), Confluence Data Center/Server (v9.4.0–9.4.1) | Memory leak via malformed HTTP/2 priority headers causing OutOfMemoryException | Unauthenticated network access to vulnerable Tomcat instances (v10.1.10–10.1.39) | 7.5 (High) |
| CVE-2024-47072 | Confluence Data Center/Server (v9.2.0–9.2.4 LTS) | Stack overflow via malicious XStream binary input using BinaryStreamDriver | XStream configuration with binary serialization enabled | 7.5 (High) |
| CVE-2024-57699 | Fisheye/Crucible (v4.9.0–4.9.1) | Stack exhaustion via JSON payloads with >10,000 nested { characters | JSON-smart v2.5.0–2.5.1 dependency in parsing workflows | 7.5 (High) |
| CVE-2025-24970 | Jira Software DC/Server (v10.3.0–10.3.6 LTS), Jira Service Management DC (v5.12.0–5.12.23 LTS) | Native crash in Netty’s SslHandler via malformed SSL/TLS packets | Use of Netty v4.1.91–4.1.117 with native SSL/TLS implementation | 7.5 (High) |
| CVE-2025-22157 | 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of both Jira Core and Jira Service Management Data Center installations | Privilege escalation | Authenticated attacker with read-only privileges on affected Jira instances Requires unpatched versions listed in “Affected Products” | 7.2 (High) |
Immediate Patching Recommended
Atlassian strongly advises customers to upgrade to the latest versions or apply specified security patches immediately.
For Bamboo Data Center, version 11.0.1 addresses the vulnerabilities, while Confluence users should update to version 9.4.1.
Fisheye/Crucible installations should be upgraded to version 4.9.1, and Jira Software and Service Management customers should implement version 10.6.0 or the recommended Long-Term Support (LTS) releases—10.3.5 to 10.3.6 for current LTS users.
“To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product,” states the company in its advisory.
Organizations using unsupported versions must migrate to supported releases, as backported fixes may not be feasible according to Atlassian’s Security Bug Fix Policy.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
