Mattermost allows authenticated users to write files to arbitrary locations

GHSA-qh58-9v3j-wcjc · CVE-2025-4981 · GO-2025-3769

Published Jun 20, 2025 · Modified Jul 28, 2025

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-4981
WEB https://github.com/mattermost/mattermost/commit/65aec10162f612d98edf91cc66bf7e781868448b
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes