VDB

CVE-2026-25547

CVE-2026-25547 PUBLISHED CVSS 9.199999809265137 CRITICAL

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity DoS (Denial of Service) vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center. This DoS (Denial of Service) vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Jira Software Data Center 11.3: Upgrade to a release greater than or equal to 11.3.4 * Jira Software Data Center 10.3: Upgrade to a release greater than or equal to 10.3.19 See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center from the download center (https://www.atlassian.com/software/jira/download-archives). The National Vulnerability Database provides the following description for this vulnerability: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

EPSS 0.02% · 5.8th percentile

Risk Scores

CVSS 3.1
9.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.02%
5.8th percentile

Affected Products

VendorProductVersions
AtlassianJira Software Data Center
AtlassianJira Service Management Data Center

Exploit Intelligence

…and 696 more exploits

Timeline

  • Feb 3, 2026 CVE Published
  • Feb 5, 2026 CVE Updated
  • Feb 5, 2026 EPSS Score
  • Feb 7, 2026 EPSS Score
  • Feb 7, 2026 Security Advisory
  • Feb 9, 2026 EPSS Score
  • Feb 12, 2026 EPSS Score
  • Feb 14, 2026 EPSS Score
  • Feb 16, 2026 EPSS Score
  • Feb 18, 2026 EPSS Score
  • Feb 20, 2026 EPSS Score
  • Feb 23, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›