Update bundled dependencies to include Apache Log4j Core 2.25.3 or later

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Security - Other
    • None
    • 2

      Summary

      Security scanners are flagging Bitbucket Data Center as vulnerable to CVE-2025-68161 due to bundled libraries (e.g., analytics-client, atlassian-password-cli) that contain Apache Log4j Core versions below 2.25.3.

      The application itself is not exploitable because the libraries do not use the Socket Appender mentioned in CVE-2025-68161.

      Feature request

      Update bundled dependencies in Bitbucket DC to include Apache Log4j Core 2.25.3 or later to avoid false positive alerts.

              Assignee:
              Unassigned
              Reporter:
              JP Mariano
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: