Atlassian has disclosed a critical path traversal vulnerability affecting Jira Software Data Center and Server that could allow authenticated attackers to modify files accessible to the Jira Java Virtual Machine (JVM) process.
The vulnerability, tracked as CVE-2025-22167, carries a high severity rating with a CVSS score of 8.7 and affects multiple product versions dating back to September 2025.
| CVE ID | CVE-2025-22167 |
| Product | Jira Software Data Center and Server |
| Vulnerability Type | Path Traversal (Arbitrary Write) |
| CVSS v3.1 Score | 8.7 (High) |
The vulnerability enables attackers with authenticated access to exploit a path traversal flaw in the Jira platform, potentially compromising system integrity by writing arbitrary files to any location the Jira JVM process has permissions to access.
This could lead to unauthorised modifications of critical system files, configuration files, or application data, depending on the JVM process permissions within the deployment environment.
Affected Versions and Timeline
The vulnerability was first introduced in Jira Software version 9.12.0, with affected versions spanning across multiple release branches including 9.12.0 through 9.12.27, 10.3.0 through 10.3.11, and 11.0.0 through 11.0.1.
Atlassian reported internally discovering this flaw and has already released patches to remediate the issue. Organizations running vulnerable versions should prioritize immediate upgrades to address this threat.
Atlassian strongly recommends that all Jira Software Data Center and Server customers upgrade to the latest available version.
For organizations unable to immediately deploy the latest release, Atlassian has provided specific upgrade paths based on your current version branch. Users running Jira Software version 9.12 should upgrade to version 9.12.28 or later.
Those on the 10.3 branch need to upgrade to 10.3.12 or higher. Customers using version 11.0 should upgrade to 11.1.0 or later.
The vulnerability is classified as a path traversal attack with arbitrary write capabilities, making it particularly dangerous in multi-tenant or shared environments.
The CVSS v3 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates that the vulnerability requires network access and valid authentication but presents high confidentiality, integrity, and availability risks to vulnerable systems.
The vulnerability affects both Data Center and Server installations of Jira Software, making this a widespread concern across enterprises utilizing these platforms for project management and issue tracking.
Atlassian’s transparency in disclosing this internal security finding allows organizations adequate time to patch systems before potential exploitation occurs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
