CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-4981

CVSS 9.9v3.1pub. 2025-06-20upd. 2025-07-08

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

🤖 AI Analysis
How it works

Mattermost Server does not sanitize file names when unpacking uploaded archives. An attacker with an account in the system can upload a specially crafted archive in which file names contain path traversal sequences (e.g., '../../'). During unpacking, the server saves files outside the intended target directory — in any location on the file system accessible to the server process. The vulnerability is active only when two configuration options are enabled simultaneously: FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true, which are active by default.

Impact

An authenticated attacker can overwrite or place arbitrary files on the server, which may lead to remote code execution (RCE) and thus complete takeover of the server instance, data disclosure, and violation of system integrity and availability.

Mitigation & patch

Mattermost Server should be updated to versions higher than those indicated above (according to vendor references: https://mattermost.com/security-updates). As a temporary workaround, until a patch is applied, archive content extraction can be disabled by setting FileSettings.ExtractContent = false, which deactivates the vulnerable mechanism.

Who is affected

Mattermost Server in versions: 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 — with default configuration (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Mattermost Server

    APP
    Mattermost
    10.8.09.11.0 – 9.11.16 (bez)10.5.0 – 10.5.6 (bez)10.6.0 – 10.6.6 (bez)10.7.0 – 10.7.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2025-12421CRITICAL9.9PL ✓ten sam produkt

Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)

CVE-2025-12419CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: przejęcie konta przez błędną walidację OAuth state token

CVE-2025-24490CRITICAL9.6PL ✓ten sam produkt

SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic

CVE-2025-20051CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: path traversal przy duplikowaniu bloków w Boards

CVE-2025-25279CRITICAL9.9PL ✓ten sam produkt

Mattermost Server — path traversal przy imporcie tablic (Boards)