cbcvebase.
CVE-2025-47870
published 2025-08-21

CVE-2025-47870: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST…

medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

Affected

19 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.5.0 < 10.5.910.5.9
github.commattermost_mattermost-server>= 10.5.0+incompatible < 10.5.9+incompatible10.5.9+incompatible
github.commattermost_mattermost-server>= 10.8.0 < 10.8.410.8.4
github.commattermost_mattermost-server>= 10.8.0+incompatible < 10.8.4+incompatible10.8.4+incompatible
github.commattermost_mattermost-server>= 10.9.0 < 10.9.310.9.3
github.commattermost_mattermost-server>= 10.9.0+incompatible < 10.9.3+incompatible10.9.3+incompatible
github.commattermost_mattermost-server>= 9.11.0 < 9.11.189.11.18
github.commattermost_mattermost-server>= 9.11.0+incompatible < 9.11.18+incompatible9.11.18+incompatible
github.commattermost_mattermost-server_v50 – 5.39.3
github.commattermost_mattermost-server_v60 – 6.7.2
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250708065844-b38e2eccda188.0.0-20250708065844-b38e2eccda18
mattermostmattermost10.5.0 – 10.5.8
mattermostmattermost10.8.0 – 10.8.3
mattermostmattermost10.9.0 – 10.9.2
mattermostmattermost9.11.0 – 9.11.17
mattermostmattermost_server>= 10.5.0 < 10.5.910.5.9
mattermostmattermost_server>= 10.8.0 < 10.8.410.8.4
mattermostmattermost_server>= 10.9.0 < 10.9.310.9.3
mattermostmattermost_server>= 9.11.0 < 9.11.189.11.18