JEditor Security Advisory: CVE-2025-48976 vulnerability in the commons-fileupload 1.5 library in JEditor 3.25.4 and older versions

Hello,

We are writing to let you know about the security vulnerability that was recently identified in JEditor:

  • CVE-2025-48976

This vulnerability affects version 3.25.4 of the JEditor — Rich Text Editor for Jira app we developed. JEditor versions before 3.25.4 are also impacted by this vulnerability. All listed vulnerabilities are related to a transitive dependency in JEditor, specifically Apache Commons FileUpload 1.5. The vulnerability is severe and potentially allows a denial of service attack on Jira nodes.

The vulnerability has been rated as severe according to the scale published on the Common Vulnerability Scoring System (CVSS).

Our internal security scanners detected the vulnerability in early July. After becoming aware of the issue, we upgraded the affected library to version 1.6.0 and limited the maximum size of a part header to a kilobyte. Upgrading the vulnerable dependency to version 1.6.0 and limiting the part header size prevent the vulnerability from being exploited and eliminate the risk of a denial-of-service attack using this flaw. Because of our internal processes, we couldn't release the fix with our regular July updates. The Atlassian DC App Security Scanner Platform also identified and reported the vulnerability in JEditor 3.25.4.

Based on our investigations, the vulnerability does not allow remote code execution and cannot grant any privileges to a potential attacker.

The Jira instances most at risk are listed below:

  • Internet-facing Jira instances that allow anonymous users to create attachments, and where Jira administration > Manage apps > JEditor > Security > Users must be authorized to upload files option is disabled.
  • Jira Service Management instances that have a service portal where users can self-register, create tickets, and upload files.

To fix the vulnerability in your environment, upgrade to JEditor 3.25.5.
Please note: upgrading JEditor to version 3.25.5 resolves the issue on JEditor's side. You may still need to update other apps and Jira.

We want you to know that we take this issue very seriously. We have conducted a thorough review of our internal processes to ensure we can deliver security fixes faster.

If you have any questions, please feel free to raise a support request at our support portal.

Sincerely,
Kirill Bobrovskikh
JEditor's project manager

Alex Bobrovskikh -
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk