CVE-2026-25547
This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity DoS (Denial of Service) vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center. This DoS (Denial of Service) vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Jira Software Data Center 11.3: Upgrade to a release greater than or equal to 11.3.4 * Jira Software Data Center 10.3: Upgrade to a release greater than or equal to 10.3.19 See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center from the download center (https://www.atlassian.com/software/jira/download-archives). The National Vulnerability Database provides the following description for this vulnerability: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
EPSS 0.02% · 5.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Jira Software Data Center | |
| Atlassian | Jira Service Management Data Center |
Exploit Intelligence
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
- open-flaw/CVE-2026-21717 (github-poc)
…and 696 more exploits
Timeline
- Feb 3, 2026 CVE Published
- Feb 5, 2026 CVE Updated
- Feb 5, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 7, 2026 Security Advisory
- Feb 9, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 16, 2026 EPSS Score
- Feb 18, 2026 EPSS Score
- Feb 20, 2026 EPSS Score
- Feb 23, 2026 EPSS Score