CVE-2025-4981

20.06.2025, 11:15

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Mattermost	CNA	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
mattermost	mattermost_server	9.11.0 ≤ 𝑥 < 9.11.16
mattermost	mattermost_server	10.5.0 ≤ 𝑥 < 10.5.6
mattermost	mattermost_server	10.6.0 ≤ 𝑥 < 10.6.6
mattermost	mattermost_server	10.7.0 ≤ 𝑥 < 10.7.3
mattermost	mattermost_server	10.8.0
mattermost	mattermost_server	10.8.0:rc1
mattermost	mattermost_server	10.8.0:rc2
mattermost	mattermost_server	10.8.0:rc3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-427 - Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References

https://mattermost.com/security-updates