CVE-2025-49222
published 2025-08-21CVE-2025-49222: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster…
medium6.8CVSS 3.1
AVNACLPRHUINSCCNIHAN
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.10.0 < 10.10.1 | 10.10.1 |
| github.com | mattermost_mattermost-server | >= 10.10.0+incompatible < 10.10.1+incompatible | 10.10.1+incompatible |
| github.com | mattermost_mattermost-server | >= 10.5.0 < 10.5.9 | 10.5.9 |
| github.com | mattermost_mattermost-server | >= 10.5.0+incompatible < 10.5.9+incompatible | 10.5.9+incompatible |
| github.com | mattermost_mattermost-server | >= 10.8.0 < 10.8.4 | 10.8.4 |
| github.com | mattermost_mattermost-server | >= 10.8.0+incompatible < 10.8.4+incompatible | 10.8.4+incompatible |
| github.com | mattermost_mattermost-server | >= 10.9.0 < 10.9.3 | 10.9.3 |
| github.com | mattermost_mattermost-server | >= 10.9.0+incompatible < 10.9.3+incompatible | 10.9.3+incompatible |
| github.com | mattermost_mattermost-server | >= 9.11.0 < 9.11.18 | 9.11.18 |
| github.com | mattermost_mattermost-server | >= 9.11.0+incompatible < 9.11.18+incompatible | 9.11.18+incompatible |
| github.com | mattermost_mattermost-server_v5 | 0 – 5.39.3 | — |
| github.com | mattermost_mattermost-server_v6 | 0 – 5.7.2 | — |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250708173752-d6b35c41f0ae5 | 8.0.0-20250708173752-d6b35c41f0ae5 |
| mattermost | mattermost | 10.10.0 – 10.10.0 | — |
| mattermost | mattermost | 10.5.0 – 10.5.8 | — |
| mattermost | mattermost | 10.8.0 – 10.8.3 | — |
| mattermost | mattermost | 10.9.0 – 10.9.2 | — |
| mattermost | mattermost | 9.11.0 – 9.11.17 | — |
| mattermost | mattermost_server | — | — |
| mattermost | mattermost_server | >= 10.5.0 < 10.5.9 | 10.5.9 |
| mattermost | mattermost_server | >= 10.8.0 < 10.8.4 | 10.8.4 |
| mattermost | mattermost_server | >= 10.9.0 < 10.9.3 | 10.9.3 |
| mattermost | mattermost_server | >= 9.11.0 < 9.11.18 | 9.11.18 |