Atlassian has disclosed a high-severity path traversal vulnerability in Jira Software Data Center and Server that enables authenticated attackers to arbitrarily write files to any path accessible by the Java Virtual Machine (JVM) process.
This flaw, tracked as CVE-2025-22167 with a CVSS score of 8.7, affects versions from 9.12.0 through 11.0.1 and was internally discovered, prompting urgent patch recommendations.
Organizations relying on Jira for project management face risks of data tampering or service disruption if unpatched.
Path Traversal Flaw Exposed
The vulnerability stems from inadequate input validation in file handling mechanisms, allowing attackers with low privileges, such as authenticated users, to bypass path restrictions.
By crafting malicious requests, an exploiter can inject traversal sequences like “../” to target sensitive directories outside the intended scope, writing arbitrary data wherever the JVM has write permissions.
Introduced in major releases 9.12.0 and 10.3.0, it persisted into the 11.0 branch until fixes in 9.12.28, 10.3.12, and 11.1.0.
Atlassian confirmed no user interaction is needed, and the attack vector is network-based with low complexity, making it exploitable remotely.
While primarily an arbitrary write issue, it could enable reads if combined with other flaws, escalating to data exfiltration or code injection.
For businesses using Jira in software development or IT operations, exploitation could corrupt configuration files, alter project data, or deploy malware, leading to operational chaos or compliance breaches.
The high integrity and availability impacts mean attackers might delete logs, modify databases, or cause denial-of-service by overwriting critical files.
In regulated sectors like finance or healthcare, this could expose intellectual property or patient information indirectly.
No public exploits exist yet, but the ease of access requiring only basic authentication heightens urgency, especially for internet-facing instances.
Mitigations
Atlassian urges immediate upgrades to patched versions: 9.12.28 or later for the 9.x series, 10.3.12 or higher for 10.x, and 11.1.0 or beyond for the newest branch.
Users unable to update fully should apply these minimum fixes and monitor release notes for details. As interim measures, restrict JVM filesystem permissions, segment network access, and enable anomaly detection for file changes.
Backups and audits are essential to recover from potential incidents. This internal report underscores Atlassian’s proactive stance, but delayed patching could invite targeted attacks in a landscape rife with supply chain threats.
With over 200,000 organizations dependent on Jira, swift action is critical to safeguard workflows.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
