CVE-2025-22167
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-12-05

Assigner: Atlassian

Description
This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-12-05
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-22167
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
atlassian jira_data_center From 9.12.0 (inc) to 9.12.28 (exc)
atlassian jira_data_center From 10.3.0 (inc) to 10.3.12 (exc)
atlassian jira_data_center From 11.0.0 (inc) to 11.1.0 (exc)
atlassian jira_server From 9.12.0 (inc) to 9.12.28 (exc)
atlassian jira_server From 10.3.0 (inc) to 10.3.12 (exc)
atlassian jira_server From 11.0.0 (inc) to 11.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-22167 is a high-severity Path Traversal vulnerability in Jira Software Data Center and Server that allows an attacker to perform arbitrary write operations on the filesystem. This means an attacker can write files to any location writable by the Jira JVM process by exploiting path traversal, potentially modifying or adding files in unintended locations. [1]

Impact Analysis

This vulnerability can allow attackers to modify any filesystem path writable by the Jira JVM process, which could lead to unauthorized changes to system files, insertion of malicious files, or disruption of normal application behavior. This can compromise the integrity and security of the affected system. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your Jira Software Data Center and Server instances to the latest fixed versions. Specifically, upgrade to versions greater than or equal to 9.12.28 for the 9.12.x line, 10.3.12 for the 10.3.x line, or 11.1.0 for the 11.0.x line. If upgrading to the latest version is not possible, ensure you upgrade at least to these specified fixed versions to protect your system from the Path Traversal vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-22167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart