**Atlassian Addresses Critical Flaw in Apache Tika**
Software company Atlassian has released a batch of security updates to address dozens of vulnerabilities impacting its products, including multiple critical-severity issues.
One of the most severe bugs is a maximum-severity XML External Entity (XXE) injection flaw, tracked as CVE-2025-66516 (CVSS score of 10/10), in Apache Tika.
Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from virtually any type of file. It's widely used in systems like search indexes, document ingestion pipelines (e.g., Apache Solr, Elasticsearch), compliance tools, and content analysis platforms.
The CVE-2025-66516 vulnerability allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This flaw affects the following versions:
- tika-core (1.13-3.2.1)
- tika-pdf-module (2.0.0-3.2.1)
- tika-parsers (1.13-1.28.5)
According to the advisory, this CVE describes the same flaw as CVE-2025-54988 but clarifies that the issue is broader. Although it was initially linked to the PDF parser module, the root vulnerability and its fix are actually in tika-core, meaning anyone who updated only the PDF module without upgrading tika-core to version 3.2.2 or later remains exposed.
XXE injection (XML External Entity injection) is a type of security vulnerability that occurs when an application parses XML input insecurely and allows attackers to load external entities, special XML features that reference files or URLs outside the document.
The list of critical flaws addressed by Atlassian this month includes prototype pollution bugs in Confluence, Jira, and Jira Service Management, plus dozens of high-severity DoS, XXE, SSRF, file inclusion, and RCE issues. One of these issues is a Prototype Pollution zrender Dependency in Jira Software Data Center and Server, tracked as CVE-2021-39227 (CVSS score of 9.8).
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly.
The vendor also fixed another prototype pollution vulnerability, tracked as CVE-2022-37601, in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This flaw affects all versions prior to 1.4.1 and 2.0.3.
The list of vulnerabilities addressed this month is reported in the December 2025 security advisory.