Mattermost Fails to Validate File Paths

GHSA-gq3r-5833-5532 · CVE-2025-36530 · GO-2025-3901

Published Aug 21, 2025 · Modified Aug 29, 2025

Description

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-36530
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2025-3901

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes