CVE-2025-48391 is a high-severity vulnerability identified in JetBrains YouTrack, a popular issue tracking and project management tool widely used by software development teams. The vulnerability is classified under CWE-306, which corresponds to missing authentication or permission checks. Specifically, in versions of YouTrack prior to 2025.1.76253, the API responsible for issue deletion lacks proper permission verification, allowing users with limited privileges (requiring only low-level privileges, PR:L) to delete issues without proper authorization. The vulnerability has a CVSS v3.1 base score of 7.7, indicating a high severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N) reveals that the attack can be performed remotely over the network without user interaction, requires low privileges, and results in a high impact on integrity (issue deletion), with no impact on confidentiality or availability. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the nature of the flaw—missing permission checks on a critical API operation—makes it a significant risk for organizations relying on YouTrack for issue management. Attackers or unauthorized users with limited access could maliciously delete issues, potentially disrupting project workflows, erasing critical bug reports, or sabotaging development tracking data. This could lead to loss of important project information and hinder incident response or audit trails.

For European organizations, the impact of this vulnerability can be substantial, especially for those heavily reliant on YouTrack for managing software development, bug tracking, and project workflows. Unauthorized deletion of issues can cause loss of critical project data, disrupt development cycles, and impair operational continuity. In regulated industries such as finance, healthcare, or government sectors within Europe, such data integrity issues could also lead to compliance violations, audit failures, and reputational damage. The integrity compromise could affect collaborative teams across multiple countries, delaying product releases or security patches. Since the vulnerability requires only low privileges and no user interaction, insider threats or compromised accounts with minimal access could exploit this flaw to cause significant damage. The absence of confidentiality and availability impact limits data leakage or denial of service risks; however, the integrity impact alone is serious enough to warrant urgent attention.

To mitigate this vulnerability, European organizations should immediately upgrade JetBrains YouTrack to version 2025.1.76253 or later, where the missing permission checks have been addressed. Until patching is possible, organizations should restrict API access to trusted users only and enforce strict role-based access controls (RBAC) to minimize the number of users with deletion privileges. Implementing monitoring and alerting on issue deletion events can help detect suspicious activity early. Additionally, organizations should audit existing user permissions to ensure no excessive privileges are granted. Employing network segmentation and API gateway controls to limit exposure of the YouTrack API to internal networks or VPN users can reduce the attack surface. Regular backups of issue data should be maintained to enable recovery in case of malicious deletions. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) can help prevent unauthorized exploitation.