CVE-2025-22167 Overview
CVE-2025-22167 is a high severity path traversal vulnerability affecting Atlassian Jira Software Data Center and Server. The flaw allows an authenticated attacker to write arbitrary files to any filesystem path writable by the Jira JVM process. The vulnerability was introduced in versions 9.12.0 and 10.3.0 and remains present through 11.0.0. Atlassian disclosed the issue through its internal security program and assigned it CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
An attacker with low privileges can overwrite files accessible to the Jira JVM process, enabling configuration tampering, application file replacement, and potential code execution paths.
Affected Products
- Atlassian Jira Software Data Center and Server 9.12.0 through versions prior to 9.12.28
- Atlassian Jira Software Data Center and Server 10.3.0 through versions prior to 10.3.12
- Atlassian Jira Software Data Center and Server 11.0.0 through versions prior to 11.1.0
Discovery Timeline
- 2025-10-22 - CVE-2025-22167 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-22167
Vulnerability Analysis
The vulnerability is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory. Jira fails to adequately validate user-supplied path components before performing filesystem write operations. An authenticated attacker can supply traversal sequences to escape the intended directory and target arbitrary paths writable by the Jira JVM process.
The attack is reachable over the network and requires low privileges with no user interaction. Successful exploitation impacts confidentiality, integrity, and availability of the Jira instance. Attackers can overwrite configuration files, plugin artifacts, scheduled task definitions, or other application-managed files. Depending on which files are targeted, this can lead to authentication tampering, privilege escalation within Jira, or downstream code execution when the JVM reads tampered files.
Root Cause
The root cause is missing or insufficient canonicalization of pathname inputs prior to file write operations. Jira accepts a path-bearing input from an authenticated request and concatenates or resolves it without rejecting .. segments or absolute path overrides. Any location writable by the Jira service account becomes a valid write target.
Attack Vector
Exploitation requires network access to the Jira web interface and a low-privileged authenticated session. The attacker submits a crafted request containing traversal sequences in a path parameter handled by a vulnerable write endpoint. The Jira process then writes attacker-controlled content to the resolved path. Atlassian has not published proof-of-concept details, and the specific endpoint has not been disclosed in the advisory. Refer to the Atlassian security advisory and the JSWSERVER-26552 issue for vendor-supplied technical details.
Detection Methods for CVE-2025-22167
Indicators of Compromise
- Unexpected modifications to files within the Jira installation directory, jira-home, plugin cache, or shared home in clustered deployments
- New or modified files in directories writable by the Jira service account but outside normal Jira write paths
- HTTP request logs containing traversal sequences such as ../, ..%2f, or absolute paths in body or query parameters
- Anomalous authenticated POST or PUT requests from low-privilege accounts targeting file-handling endpoints
Detection Strategies
- Inspect Jira access logs for request URIs and parameters containing path traversal patterns and correlate with the authenticated user identity
- Enable filesystem integrity monitoring on the Jira installation, jira-home, and plugin directories to alert on unauthorized writes
- Review Jira audit logs for unexpected administrative or configuration changes that follow file write activity
Monitoring Recommendations
- Forward Jira application, access, and audit logs to a central log analytics platform and alert on traversal indicators
- Monitor process behavior of the Jira JVM for writes outside expected directories using endpoint telemetry
- Track outbound network connections from the Jira host that could indicate post-exploitation activity
How to Mitigate CVE-2025-22167
Immediate Actions Required
- Upgrade Jira Software Data Center and Server to a fixed version as identified by Atlassian
- Restrict network access to the Jira web interface to trusted networks and authenticated users only
- Audit existing Jira user accounts and revoke unnecessary access, particularly for accounts that no longer require interactive login
- Review filesystem permissions on the Jira service account to enforce least privilege on writable paths
Patch Information
Atlassian has released fixed builds. Customers should upgrade according to their installed branch:
- Jira Software Data Center and Server 9.12 branch: upgrade to 9.12.28 or later
- Jira Software Data Center and Server 10.3 branch: upgrade to 10.3.12 or later
- Jira Software Data Center and Server 11.0 branch: upgrade to 11.1.0 or later
Download fixed versions from the Atlassian download center and consult the vendor advisory for full release notes.
Workarounds
- No official workaround has been published by Atlassian; upgrading is the supported remediation
- As a compensating control, place the Jira instance behind a web application firewall and block requests containing path traversal patterns in parameters
- Constrain the Jira service account to a minimal set of writable directories using operating system file permissions and mandatory access controls
# Example: verify installed Jira version before and after upgrade
cat /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/jira-application.properties | grep version
# Example: restrict Jira service account write scope (Linux)
chown -R jira:jira /var/atlassian/application-data/jira
chmod -R 750 /var/atlassian/application-data/jira
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
