CVE-2025-64773 – A race condition vulnerability in JetBrains You... (How to Fix)

Q: What is the severity of CVE-2025-64773?

CVE-2025-64773 has a CVSS score of 2.7 (LOW). A race condition vulnerability in JetBrains YouTrack allows bypassing helpdesk Agent license limits. This affects organizations using YouTrack's helpdesk functionality with concurrent user access. Attackers could potentially create more Agent accounts than licensed, violating licensing terms.

📋 TL;DR

A race condition vulnerability in JetBrains YouTrack allows bypassing helpdesk Agent license limits. This affects organizations using YouTrack's helpdesk functionality with concurrent user access. Attackers could potentially create more Agent accounts than licensed, violating licensing terms.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2025.3.104432

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects YouTrack instances with helpdesk functionality enabled and Agent licensing configured.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain Agent privileges beyond licensed limits, potentially accessing sensitive helpdesk data and performing administrative actions without proper authorization.

🟠

Likely Case

License compliance violation where organizations unintentionally exceed Agent limits, potentially leading to licensing audit issues or unexpected costs.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring; primarily a licensing compliance issue rather than security breach.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and precise timing to trigger race condition; not trivial to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.3.104432

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup YouTrack data and configuration. 2. Download YouTrack 2025.3.104432 or later from JetBrains website. 3. Stop YouTrack service. 4. Install/upgrade to patched version. 5. Restart YouTrack service. 6. Verify version and functionality.

🔧 Temporary Workarounds

Limit Concurrent Sessions

all

Reduce simultaneous user access to minimize race condition opportunities

Monitor Agent Count

all

Implement regular checks of active Agent accounts against license limits

🧯 If You Can't Patch

Implement strict access controls and monitor Agent account creation
Regularly audit Agent counts and enforce license compliance manually

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in Administration → System → About. If version is earlier than 2025.3.104432, system is vulnerable.

Check Version:

Check web interface at Administration → System → About or review server logs for version information.

Verify Fix Applied:

Confirm version is 2025.3.104432 or later in Administration → System → About, then test Agent creation under concurrent load.

📡 Detection & Monitoring

Log Indicators:

Multiple Agent creation attempts within short timeframes
License limit warnings or errors in logs

Network Indicators:

Unusual patterns of concurrent authentication requests
Multiple Agent creation API calls in rapid succession

SIEM Query:

source="youtrack" AND (event="agent_created" OR event="license_limit") | stats count by user, time span=1m

📊 Metadata

CVE ID: CVE-2025-64773

CVSS v3 Score: 2.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-362

EPSS Score: 0% exploit probability (0th percentile)

Published: November 11, 2025

Last Updated: December 11, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64773, you might also want to check these: