CVE-2025-4981 PUBLISHED

Path Traversal Leading to RCE by Any Authenticated Mattermost User

Assigner: Mattermost
Reserved: 20.05.2025 Published: 20.06.2025 Updated: 20.06.2025

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Product Status

Vendor Mattermost
Product Mattermost
Versions Default: unaffected
  • affected from 10.5.0 to 10.5.5 (incl.)
  • affected from 9.11.0 to 9.11.15 (incl.)
  • affected from 10.8.0 to 10.8.0 (incl.)
  • affected from 10.7.0 to 10.7.2 (incl.)
  • affected from 10.6.0 to 10.6.5 (incl.)
  • Version 10.9.0 is unaffected
  • Version 10.5.6 is unaffected
  • Version 9.11.16 is unaffected
  • Version 10.8.1 is unaffected
  • Version 10.7.3 is unaffected
  • Version 10.6.6 is unaffected

Solutions

Update Mattermost to versions 10.9.0, 10.5.6, 9.11.16, 10.8.1, 10.7.3, 10.6.6 or higher.

Credits

  • Dawid Kulikowski (daw10) finder

References

Problem Types

  • CWE-427: Uncontrolled Search Path Element CWE