Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22166

CVE-2025-22166: Atlassian Confluence Data Center DoS Flaw

CVE-2025-22166 is a high-severity denial of service vulnerability in Atlassian Confluence Data Center that allows attackers to disrupt services. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-22166 Overview

CVE-2025-22166 is a high severity Denial of Service (DoS) vulnerability affecting Atlassian Confluence Data Center and Server. The flaw was introduced in version 2.0 of Confluence Data Center and allows an authenticated attacker with low privileges to disrupt service availability over the network. The weakness is categorized as [CWE-405] Asymmetric Resource Consumption (Amplification), where an attacker can trigger disproportionate resource consumption to render the service unavailable. Atlassian reported this issue through its internal vulnerability program and released fixed versions across the 8.5, 9.2, and 10.0 release lines.

Critical Impact

An authenticated remote attacker can disrupt Confluence availability, taking down collaboration and documentation services for all users of the affected instance.

Affected Products

  • Atlassian Confluence Data Center (versions from 2.0 up to fixed releases)
  • Atlassian Confluence Server (versions from 2.0 up to fixed releases)
  • Confluence Data Center and Server 8.5.x prior to 8.5.25, 9.2.x prior to 9.2.7, and 10.0.x prior to 10.0.2

Discovery Timeline

  • 2025-10-21 - CVE-2025-22166 published to NVD
  • 2025-12-05 - Last updated in NVD database
  • Reported via the Atlassian Internal vulnerability program

Technical Details for CVE-2025-22166

Vulnerability Analysis

The vulnerability is a network-accessible Denial of Service issue in Atlassian Confluence Data Center and Server. An attacker with low-level authenticated access can submit crafted requests that cause Confluence to consume disproportionate resources relative to the request size. The condition aligns with [CWE-405] Asymmetric Resource Consumption, where small inputs trigger large processing or memory costs on the server. Successful exploitation degrades the availability of the Confluence instance and any subsystems that depend on it.

Root Cause

The root cause lies in how Confluence processes certain inputs without enforcing proportional limits on the resources required to handle them. When Confluence accepts and processes the offending request, the server allocates CPU, memory, or thread resources at a rate that exceeds the request's complexity. The flaw has existed since Confluence Data Center 2.0 and was not addressed until the 8.5.25, 9.2.7, and 10.0.2 releases. Atlassian has not published low-level technical details about the affected component.

Attack Vector

Exploitation occurs over the network and requires low privileges, meaning the attacker must hold a valid Confluence account but does not need administrative rights. No user interaction is required. The attacker sends crafted requests to the Confluence application endpoint, repeatedly exhausting server resources. Because the impact extends to subsequent system availability, exploitation can disrupt service for all users until the instance is restarted or recovered.

No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score remains low at the time of publication, but availability of authenticated DoS primitives in collaboration platforms is a common target for insider abuse and credential-compromise scenarios. See the Atlassian JIRA Issue CONFSERVER-100907 for vendor tracking.

Detection Methods for CVE-2025-22166

Indicators of Compromise

  • Sudden spikes in CPU, memory, or thread usage on Confluence application nodes without a corresponding spike in legitimate user activity.
  • Repeated requests to the same Confluence endpoint from a single authenticated user account in a short time window.
  • Application logs showing timeouts, garbage collection pauses, or thread pool exhaustion on Confluence servers.
  • Unresponsive Confluence UI or 5xx responses returned to end users.

Detection Strategies

  • Baseline normal Confluence request rates per user and alert on deviations, particularly authenticated accounts that exceed typical query volumes.
  • Correlate Confluence application logs with system performance metrics to identify resource exhaustion patterns tied to specific request types.
  • Monitor the Tomcat or reverse-proxy access logs for high-frequency requests from low-privilege user sessions.

Monitoring Recommendations

  • Forward Confluence application, access, and JVM logs to a centralized logging platform for behavioral analysis.
  • Configure alerts on JVM heap usage, GC pause times, and active thread counts crossing operational thresholds.
  • Track authentication and session activity to identify compromised accounts that may be used to launch the DoS condition.

How to Mitigate CVE-2025-22166

Immediate Actions Required

  • Inventory all Confluence Data Center and Server instances and identify versions prior to 8.5.25, 9.2.7, and 10.0.2.
  • Upgrade affected instances to a fixed release or the latest available Confluence Data Center version as recommended by Atlassian.
  • Restrict network exposure of Confluence to trusted networks and require VPN access where feasible.
  • Review and reduce the number of low-privilege accounts with active access to Confluence.

Patch Information

Atlassian has released fixed versions for each supported release line. Customers on the 8.5 branch should upgrade to a release greater than or equal to 8.5.25. Customers on the 9.2 branch should upgrade to 9.2.7 or later. Customers on the 10.0 branch should upgrade to 10.0.2 or later. Atlassian recommends upgrading to the latest available Confluence Data Center version. Refer to the Atlassian Confluence Documentation and the Atlassian JIRA Issue CONFSERVER-100907 for full advisory details.

Workarounds

  • Place Confluence behind a web application firewall or reverse proxy that enforces per-user request rate limits.
  • Tune JVM and Tomcat thread pool, timeout, and connection limits to contain resource exhaustion on a single node.
  • Disable or restrict access to Confluence accounts that are not actively required, reducing the attack surface for authenticated abuse.
bash
# Configuration example
# No vendor-provided configuration workaround is available for CVE-2025-22166.
# Apply the upgrade to Confluence Data Center/Server 8.5.25, 9.2.7, or 10.0.2 or later.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne