/
Security Vulnerability Notification CVE-2025-66516

DATA CENTER AND SERVER | CLOUD

Security Vulnerability Notification CVE-2025-66516

A security vulnerability was recently identified in easeRequirements for Jira. The vulnerability affects easeRequirements versions 4.6 to 5.3.1. The vulnerability (CVE-2025-66516) was a critical XXE in Apache Tika tika-core (versions 1.13 to 3.2.1) which allows an attacker to carry out an injection via a crafted PDF file. The vulnerability was present from September 2021 until December 2025.

This vulnerability has been rated critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was brought to our notice by Atlassian’s EcoScanner platform on Dec 7th, 2025. Once we became aware of the issue, we prioritized the investigation and planned for hotfixes to be released as soon as possible. Based on what we found, remediation actions have been taken ensure that this vulnerability is now fixed.

Based on our investigations, the vulnerability is not likely to have had any impacts on you. Apache Tika tika-core is a library used exclusively for the ReqIF feature in easeRequirements, which remains a dark feature until version 5.3.2.

We are working with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability. No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at http://support.atlassian.com referencing [AMS-48756, AMS-48754].