CVE-2025-4981Uncontrolled Search Path Element in Mattermost Mattermost-server

CWE-427Uncontrolled Search Path Element5 documents4 sources
Severity
9.9CRITICALNVD
EPSS
1.7%
top 17.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedJun 20
Latest updateJul 28

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.16+4
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.16+incompatible+5
CVEListV5mattermost/mattermost10.5.010.5.5+4

🔴Vulnerability Details

4
OSV
Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server2025-07-28
GHSA
Mattermost allows authenticated users to write files to arbitrary locations2025-06-20
OSV
Mattermost allows authenticated users to write files to arbitrary locations2025-06-20
CVEList
Path Traversal Leading to RCE by Any Authenticated Mattermost User2025-06-20
CVE-2025-4981 — Uncontrolled Search Path Element | cvebase