| ITEM | Comment |
|---|---|
| CVE | CVE-2025-45939 |
| Software | Golive – Atlassian Jira (Data Center) |
| Version | < 10.5.2, < 9.31.4 |
| Type of Issue | Server-Side Request Forgery (SSRF) |
| CWE | https://cwe.mitre.org/data/definitions/918.html |
| OWASP | Testing for Server-Side Request Forgery |
| Roles affected | Golive Administrator |
| CVSS | High – 8.5 |
| Credits | Thore Imhof from Y-Security |
Summary
The plugin Golive allows users to configure automations, such as webhooks, which is vulnerable to a Server-Side Request Forgery. It does not allow administrators to configure an allowlist of allowed URLs but instead allows every URL.
Mitigation & Recommendation
The vulnerability has been fixed in version 10.5.2 and 9.31.4, the releases are available at apwide.
It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We confirmed that our initial exploit payload no longer works, however no extensive analysis of the patch was done from our side.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Server-Side Request Forgery Prevention Cheat Sheet to successfully mitigate Server-Side Request Forgery vulnerabilities.
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The vendor released a fix before the 90 day deadline and agreed to publish the CVE.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 05.03.2025 | Y-Security discovered security vulnerability & communicated to client |
| 10.04.2025 | Reported to Bugcrowd „Third Party Marketplace Apps“ program |
| 12.05.2025 | CVE assigned (CVE-2025-45939) |
| 13.05.2025 | First contact with apwide support directly |
| 19.05.2025 | Reported to apwide customer portal |
| 06.06.2025 | Apwide released a fix |
| 25.07.2025 | Y-Security disclosed CVE-2025-45939 |
| 18.11.2025 | Release of Blogpost |
Author
Thore Imhof
thore@y-security.de
Y-Security GmbH
18. November 2025