1. Home
  2. Vulnerabilities
  3. CVE-2025-22167
8.7
HIGH CVSS 4.0
CVE-2025-22167
Jira Software Data Center and Server Path Traversal Arbitrary Write Vulnerability
Description

This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program.

INFO

Published Date :

Oct. 22, 2025, 1:16 a.m.

Last Modified :

Oct. 22, 2025, 9:12 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2025-22167 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 4.0 HIGH [email protected]
Solution
Upgrade Jira Software Data Center and Server to a supported fixed version to patch path traversal.
  • Upgrade to Jira Software Data Center and Server version 9.12.28 or higher.
  • Upgrade to Jira Software Data Center and Server version 10.3.12 or higher.
  • Upgrade to Jira Software Data Center and Server version 11.1.0 or higher.
  • Consult release notes for upgrade details.
Public PoC/Exploit Available at Github

CVE-2025-22167 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-22167.

URL Resource
https://confluence.atlassian.com/pages/viewpage.action?pageId=1652920034
https://jira.atlassian.com/browse/JSWSERVER-26552
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-22167 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-22167 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
issamjr/CVE-2025-22167

CVE-2025-22167 scanner script

Python

Updated: 1 week, 1 day ago
4 stars 1 fork 1 watcher
Born at : Oct. 27, 2025, 2:23 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 day, 1 hour ago
7368 stars 1215 fork 1215 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 827 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-22167 vulnerability anywhere in the article.

  • CybersecurityNews
Jira Software Vulnerability Let Attacker Modify Any Filesystem Path Writable By JVM process

Atlassian has disclosed a high-severity path traversal vulnerability in Jira Software Data Center and Server that enables authenticated attackers to arbitrarily write files to any path accessible by t ... Read more

Published Date: Oct 23, 2025 (2 weeks, 2 days ago)
  • Daily CyberSecurity
ISC Patches Multiple High-Severity BIND Vulnerabilities Enabling Cache Poisoning and Denial of Service Attacks

The Internet Systems Consortium (ISC) has issued patches for three high-severity vulnerabilities impacting the BIND 9 DNS server, including two that could enable cache poisoning attacks (CVE-2025-4077 ... Read more

Published Date: Oct 23, 2025 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Jira Path Traversal Flaw (CVE-2025-22167) Allows Arbitrary File Write on Server/Data Center

Atlassian has released patches addressing a high-severity Path Traversal vulnerability (CVE-2025-22167) affecting Jira Software Data Center and Server as well as Jira Service Management Data Center an ... Read more

Published Date: Oct 23, 2025 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage

Symantec’s investigation uncovered a complex web of interconnected Chinese espionage operations, with infrastructure and tooling overlapping multiple threat clusters. The team observed the Zingdoor ba ... Read more

Published Date: Oct 23, 2025 (2 weeks, 2 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-22167 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Oct. 22, 2025

    Action Type Old Value New Value
    Added CWE CWE-22
  • New CVE Received by [email protected]

    Oct. 22, 2025

    Action Type Old Value New Value
    Added Description This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added Reference https://confluence.atlassian.com/pages/viewpage.action?pageId=1652920034
    Added Reference https://jira.atlassian.com/browse/JSWSERVER-26552
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 8.7
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability