Atlassian has disclosed a critical path traversal vulnerability affecting Jira Software Data Center and Server that could allow authenticated attackers to modify files accessible to the Jira Java Virtual Machine (JVM) process.
The vulnerability, tracked as CVE-2025-22167, carries a high severity rating with a CVSS score of 8.7 and presents a significant risk to organizations relying on Jira for project management and issue tracking.
Understanding the Vulnerability Impact
The path traversal flaw in Jira Software enables attackers with authenticated access to exploit arbitrary write capabilities on the filesystem.
This could lead to unauthorized modifications of critical system files, configuration files, or application data, depending on the JVM process permissions within the deployment environment.
The vulnerability is particularly dangerous in multi-tenant or shared environments where multiple users or organizations share the same Jira instance.
The CVSS v3 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates that the vulnerability requires network access and valid authentication but presents high confidentiality, integrity, and availability risks to vulnerable systems.
An authenticated attacker could potentially compromise system integrity by writing arbitrary files to any location the Jira JVM process has permissions to access.
The vulnerability was first introduced in Jira Software version 9.12.0, with affected versions spanning multiple release branches.
Atlassian has already released patches to remediate the issue, and organizations running vulnerable versions should prioritize immediate upgrades to address this threat.
| CVE ID | Product | Vulnerability Type | CVSS v3.1 Score | Status |
|---|---|---|---|---|
| CVE-2025-22167 | Jira Software Data Center and Server | Path Traversal (Arbitrary Write) | 8.7 (High) | Patched |
For organizations unable to immediately deploy the latest release, Atlassian has provided specific upgrade paths based on current version branches.
Users running Jira Software version 9.12 should upgrade to version 9.12.28 or later.
Those on the 10.3 branch need to upgrade to 10.3.12 or higher. Customers using version 11.0 should upgrade to 11.1.0 or later.
Atlassian strongly recommends that all Jira Software Data Center and Server customers prioritize upgrading to the latest available version immediately.
The vulnerability affects both Data Center and Server installations, making this a widespread concern across enterprises utilizing these platforms.
Atlassian’s transparency in disclosing this internal security finding allows organizations adequate time to patch systems before potential exploitation occurs.
Organizations should conduct a comprehensive inventory of their Jira deployments, identify which versions are currently running, and implement the recommended patches according to their deployment type and current version branch.
Security teams should treat this vulnerability with high priority, given its potential to compromise system integrity through arbitrary file write operations.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
.webp?resize=1600,900&ssl=1&description=The vulnerability, tracked as CVE-2025-22167, carries a high severity rating with a CVSS score of 8.7 and presents a significant risk){kind=link}