CVE-2025-48391 – This vulnerability in JetBrains YouTrack allows... (How to Fix)

Q: What is the severity of CVE-2025-48391?

CVE-2025-48391 has a CVSS score of 7.7 (HIGH). This vulnerability in JetBrains YouTrack allows unauthorized deletion of issues due to missing permission checks in the API. Any YouTrack instance with users who shouldn't have issue deletion permissions is affected. The flaw enables privilege escalation where users can delete issues they shouldn't have access to.

📋 TL;DR

This vulnerability in JetBrains YouTrack allows unauthorized deletion of issues due to missing permission checks in the API. Any YouTrack instance with users who shouldn't have issue deletion permissions is affected. The flaw enables privilege escalation where users can delete issues they shouldn't have access to.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2025.1.76253

Operating Systems: All platforms running YouTrack

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all YouTrack deployments regardless of configuration. The vulnerability is in the API permission checking logic.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious or compromised user account could delete all issues in the system, causing complete data loss and operational disruption.

🟠

Likely Case

Internal user with limited permissions accidentally or intentionally deletes issues they shouldn't have access to, causing data loss and workflow disruption.

🟢

If Mitigated

With proper access controls and auditing, impact is limited to minor data loss that can be restored from backups.

🌐 Internet-Facing: HIGH if YouTrack is exposed to the internet, as any authenticated user could exploit this vulnerability.

🏢 Internal Only: HIGH as internal users with any level of access could potentially delete issues beyond their permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but minimal technical skill. The vulnerability is in API endpoints that should have permission checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.1.76253

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup your YouTrack instance. 2. Download YouTrack version 2025.1.76253 or later from JetBrains. 3. Follow JetBrains upgrade instructions for your deployment method (Docker, standalone, etc.). 4. Restart the YouTrack service.

🔧 Temporary Workarounds

Restrict API Access

all

Temporarily restrict access to YouTrack API endpoints using network controls or web application firewall rules.

Enhanced Monitoring

all

Implement strict monitoring and alerting for issue deletion events in YouTrack logs.

🧯 If You Can't Patch

Implement strict access controls and review all user permissions to minimize attack surface
Enable comprehensive auditing and alerting for all issue deletion activities

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in Administration → Global Settings → About. If version is earlier than 2025.1.76253, you are vulnerable.

Check Version:

Check YouTrack web interface at Administration → Global Settings → About, or check container/process version if using Docker/standalone.

Verify Fix Applied:

After upgrade, verify version is 2025.1.76253 or later in Administration → Global Settings → About. Test issue deletion with limited permission accounts.

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of issue deletion events
Issue deletions from users without appropriate permissions
Multiple rapid issue deletions

Network Indicators:

Unusual API call patterns to issue deletion endpoints
Bursts of DELETE requests to YouTrack API

SIEM Query:

source="youtrack" AND (event_type="issue_deleted" OR action="delete") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-48391

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-306

EPSS Score: 0% exploit probability (0th percentile)

Published: May 20, 2025

Last Updated: September 30, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48391, you might also want to check these: