Atlassian, a leading provider of collaboration and productivity software, has issued its May 2025 Security Bulletin, disclosing eight high-severity vulnerabilities affecting multiple Data Center and Server products. These vulnerabilities, if left unpatched, could expose enterprise systems to denial-of-service (DoS) attacks and privilege escalation exploits.
Denial-of-Service Vulnerabilities
The bulletin highlights several critical dependencies containing exploitable flaws across Atlassian’s product line. Four distinct DoS vulnerabilities, each with a CVSS score of 7.5 (High), affect key enterprise solutions:
1. CVE-2025-31650: This vulnerability affects Bamboo and Confluence Data Center installations due to a flaw in Apache Tomcat’s tomcat-coyote dependency. Improper input validation when handling HTTP/2 priority headers can cause memory leaks, leading to OutOfMemoryExceptions. An unauthenticated attacker can exploit this by sending malformed requests that exhaust server resources, resulting in application crashes.
2. CVE-2024-47072: Confluence Data Center is vulnerable due to an issue in the XStream library. Remote attackers can cause DoS conditions through stack overflow errors by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.
3. CVE-2024-57699: Fisheye/Crucible version 4.9.0 contains a vulnerability in the json-smart dependency. Attackers can cause stack exhaustion by processing specially crafted JSON inputs containing large numbers of ‘{‘ characters.
4. CVE-2025-24970: Jira Software and Jira Service Management products are affected by a flaw in Netty’s SslHandler component. Specially crafted SSL/TLS packets can trigger validation process failures, potentially causing a native crash.
Privilege Escalation Vulnerability
Beyond DoS issues, Atlassian disclosed a privilege escalation vulnerability (CVE-2025-22157) with a CVSS score of 7.2 affecting Jira Core and Jira Service Management Data Center products. This vulnerability allows attackers to perform unauthorized actions as higher-privileged users, potentially compromising system integrity and confidentiality. The vulnerability impacts multiple versions, including 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of both Jira Core and Jira Service Management Data Center installations.
Recommendations
Atlassian strongly recommends that customers upgrade their installations to the latest patched versions as soon as possible. Users can check the Vulnerability Disclosure Portal to search for CVEs and verify if their product versions are affected by the disclosed vulnerabilities.
