JetBrains Intellij Idea

JetBrains IntelliJ IDEA <2025.3: SSH Remote Project Confirmation Bypass
CVE-2025-68269 5.4 - Medium - December 16, 2025

In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH

Acceptance of Extraneous Untrusted Data With Trusted Data

JetBrains IntelliJ IDEA pre-2025.2: Remote Credentials Disclosure
CVE-2025-57727 - August 20, 2025

In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference

Cleartext Transmission of Sensitive Information

IntelliJ IDEA <2025.2: Code With Me Guest Hidden File Disclosure
CVE-2025-57728 - August 20, 2025

In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files

AuthZ

JetBrains IntelliJ IDEA <=2025.1 LSP Auto-Start Enables Unexpected Plugin Launch
CVE-2025-57729 - August 20, 2025

In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start

Inclusion of Functionality from Untrusted Control Sphere

CVE-2025-57730: HTML Injection via Remote Dev in IntelliJ IDEA < 2025.2
CVE-2025-57730 - August 20, 2025

In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature

Basic XSS

JetBrains IntelliJ IDEA <2024.3: Source code logged in idea.log
CVE-2025-32054 - April 03, 2025

In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file

Insertion of Sensitive Information into Log File

JetBrains IntelliJ IDEA (<2024.1) hTML Injection via Project Name
CVE-2024-46970 6.1 - Medium - September 16, 2024

In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible

XSS

JetBrains IDEs <=2024.2 Token Exposure via 3rd-Party Sites (CVE-2024-37051)
CVE-2024-37051 7.5 - High - June 10, 2024

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Insufficiently Protected Credentials

IntelliJ IDEA Space plugin sends auth token to wrong URL before 2023.3.3
CVE-2024-24941 5.3 - Medium - February 06, 2024

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

Improper Input Validation

IntelliJ IDEA 2023.3.3 Path Traversal via Archive Unpacking
CVE-2024-24940 4.3 - Medium - February 06, 2024

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives

Relative Path Traversal

IntelliJ IDEA < 2023.3.2: Untrusted Mode Code Exec via Malicious Plugin Repo
CVE-2023-51655 9.8 - Critical - December 21, 2023

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration

Insufficient Verification of Data Authenticity

IntelliJ IDEA Local Info Disclosure via Confused Deputy in StatusHints
CVE-2023-21283 5.5 - Medium - August 14, 2023

In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

IntelliJ IDEA Space plugin excessive permissions before 2023.2
CVE-2023-39261 7.8 - High - July 26, 2023

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions

Execution with Unnecessary Privileges

IntelliJ IDEA < 2023.1.4: License Dialog Suppression Vulnerability
CVE-2023-38069 3.3 - Low - July 12, 2023

In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases

Improper Check for Unusual or Exceptional Conditions

IntelliJ IDEA <=2023.1 Disclosure via External CSS in MD Preview
CVE-2022-48430 7.5 - High - March 29, 2023

In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.

IntelliJ IDEA <=2022.3. NTLM Hash Leak via API in Builtin Web Server
CVE-2022-48433 7.5 - High - March 29, 2023

In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.

Insufficiently Protected Credentials

IntelliJ IDEA Chromium Sandbox Bypass (pre-2023.1)
CVE-2022-48432 8.8 - High - March 29, 2023

In JetBrains IntelliJ IDEA before 2023.1 the bundled version of Chromium wasn't sandboxed.

Insecure Default Initialization of Resource

Trust Project Prompt Bypass in JetBrains IntelliJ IDEA <2023.1
CVE-2022-48431 7.8 - High - March 29, 2023

In JetBrains IntelliJ IDEA before 2023.1 in some cases, Gradle and Maven projects could be imported without the Trust Project confirmation.

Insufficient Verification of Data Authenticity

IntelliJ IDEA SSTI via Code Templates before 2022.3.1
CVE-2022-47896 7.8 - High - December 22, 2022

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

Code Injection

IntelliJ IDEA<2022.3.1: Validate JSP File uses HTTP to download JARs
CVE-2022-47895 7.5 - High - December 22, 2022

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.

Cleartext Transmission of Sensitive Information

DYLIB Injection in JetBrains IntelliJ IDEA < 2022.3 on macOS
CVE-2022-46828 7.8 - High - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.

Unrestricted File Upload

IntelliJ IDEA fsnotifier Buffer Overflow on macOS before 2022.2.4
CVE-2022-46824 7.8 - High - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible.

Classic Buffer Overflow

IntelliJ IDEA 2022 web server info leakage before 2022.3
CVE-2022-46825 3.3 - Low - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.

Inadequate Encryption Strength

IntelliJ IDEA 2022.2 Path Traversal in Builtin Web Server
CVE-2022-46826 5.5 - Medium - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.

Directory traversal

IntelliJ IDEA XXE SSRF via Custom Plugin Repos before 2022.3
CVE-2022-46827 5.5 - Medium - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.

XXE

INTELLIJ IDEA Installer <2022.2.2: EXE Search Order Hijacking
CVE-2022-40978 7.8 - High - September 19, 2022

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking

DLL preloading

IntelliJ IDEA < 2022.2 Email Validation Bypass via Git User Name Prompt
CVE-2022-37010 3.3 - Low - July 28, 2022

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed

Improper Input Validation

Local Exec in IntelliJ IDEA < 2022.2 via Vagrant EXe
CVE-2022-37009 7.8 - High - July 28, 2022

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
CVE-2022-29812 2.3 - Low - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient

In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29813 6.7 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29814 7.7 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29815 6.7 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
CVE-2022-29816 3.2 - Low - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible

XSS

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS
CVE-2022-29817 6.1 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible

XSS

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
CVE-2022-29818 7.1 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed

Origin Validation Error

In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29819 7.7 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible

Code Injection

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords
CVE-2022-28651 5.5 - Medium - April 05, 2022

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields

Insufficiently Protected Credentials

JetBrains IntelliJ IDEA 2021.3.1 Preview
CVE-2021-45977 9.8 - Critical - February 25, 2022

JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution
CVE-2022-24346 7.8 - High - February 25, 2022

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission
CVE-2022-24345 7.8 - High - February 25, 2022

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible
CVE-2021-29263 7.8 - High - May 11, 2021

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS.

In IntelliJ IDEA before 2020.3.3
CVE-2021-30006 7.5 - High - May 11, 2021

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.

XXE

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible
CVE-2021-30504 7.5 - High - May 11, 2021

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation.

Resource Exhaustion

In JetBrains IntelliJ IDEA before 2020.3
CVE-2021-25758 7.8 - High - February 03, 2021

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

Marshaling, Unmarshaling

In JetBrains IntelliJ IDEA before 2020.2
CVE-2021-25756 5.3 - Medium - February 03, 2021

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.

In JetBrains IntelliJ IDEA before 2020.2
CVE-2020-27622 5.3 - Medium - November 16, 2020

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.

In JetBrains IntelliJ IDEA before 2020.1
CVE-2020-11690 - April 22, 2020

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network
CVE-2020-7914 - January 31, 2020

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.

Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
CVE-2020-7905 - January 30, 2020

Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.

In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed
CVE-2020-7904 - January 30, 2020

In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS.