CVE-2025-25274 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization CWE-77 — Command Injection5 documents4 sources

Severity

8.8HIGHNVD

CNA4.3

EPSS

0.3%

top 43.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMar 21

Latest updateMar 25

Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.9+2

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.9+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.4.0 — 10.4.3+3

▶CVEListV5mattermost/mattermost10.4.0 — 10.4.2+2

🔴Vulnerability Details

OSV

Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server↗2025-03-25

▶

OSV

Mattermost Fails to Restrict Command Execution in Archived Channels↗2025-03-21

▶

CVEList

Unauthorized Command Execution in Archived Channels↗2025-03-21

▶

GHSA

Mattermost Fails to Restrict Command Execution in Archived Channels↗2025-03-21

▶