CVE-2025-22167 is a path traversal vulnerability classified under CWE-22, impacting Atlassian Jira Software Data Center and Server editions. Introduced in versions 9.12.0, 10.3.0, and present in 11.0.0, this vulnerability allows an attacker with low privileges (PR:L) and no user interaction (UI:N) to write arbitrary files anywhere on the filesystem locations writable by the Jira JVM process. The vulnerability arises from insufficient validation of file path inputs, enabling traversal sequences to escape intended directories and overwrite or create files arbitrarily. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates network attack vector, low complexity, no authentication or user interaction required, and high impact on confidentiality, integrity, and availability. Exploiting this flaw could allow attackers to modify configuration files, implant malicious code, or disrupt Jira services, potentially leading to remote code execution or denial of service. Atlassian has addressed the issue in versions 9.12.28+, 10.3.12+, and 11.1.0+, urging users to upgrade promptly. No public exploit code or active exploitation has been reported yet, but the vulnerability’s characteristics make it a critical risk for organizations relying on Jira for project management and issue tracking.

The vulnerability poses a severe risk to organizations worldwide using affected Jira versions. Successful exploitation can compromise the confidentiality, integrity, and availability of Jira instances by allowing attackers to overwrite arbitrary files, including configuration files, logs, or executable scripts. This could lead to unauthorized access escalation, remote code execution, data corruption, or service outages. Given Jira’s widespread use in software development, IT service management, and business operations, exploitation could disrupt critical workflows and expose sensitive project data. The vulnerability’s network accessibility and lack of required authentication increase the likelihood of exploitation, especially in environments where Jira is exposed to untrusted networks. Organizations failing to patch may face operational disruptions, reputational damage, and potential compliance violations.

Organizations should immediately upgrade affected Jira Software Data Center and Server instances to the fixed versions: 9.12.28 or later, 10.3.12 or later, or 11.1.0 or later. If immediate upgrade is not feasible, implement strict network segmentation and firewall rules to restrict access to Jira servers, limiting exposure to trusted internal networks only. Review and harden filesystem permissions to minimize writable paths accessible by the Jira JVM process, reducing the attack surface. Monitor Jira logs and system files for unusual modifications or access patterns indicative of exploitation attempts. Employ intrusion detection systems (IDS) and endpoint detection and response (EDR) tools to detect anomalous behavior. Regularly audit and update security policies related to Jira deployments. Additionally, consider temporarily disabling any unnecessary plugins or integrations that might increase attack vectors until patches are applied.