CVE-2025-6233
published 2025-07-18CVE-2025-6233: Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import…
medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.5.0 < 10.5.8 | 10.5.8 |
| github.com | mattermost_mattermost-server | >= 10.5.0+incompatible < 10.5.8+incompatible | 10.5.8+incompatible |
| github.com | mattermost_mattermost-server | >= 10.7.0 < 10.7.4 | 10.7.4 |
| github.com | mattermost_mattermost-server | >= 10.7.0+incompatible < 10.7.4+incompatible | 10.7.4+incompatible |
| github.com | mattermost_mattermost-server | >= 10.8.0 < 10.8.2 | 10.8.2 |
| github.com | mattermost_mattermost-server | >= 10.8.0+incompatible < 10.8.2+incompatible | 10.8.2+incompatible |
| github.com | mattermost_mattermost-server | >= 9.11.0 < 9.11.17 | 9.11.17 |
| github.com | mattermost_mattermost-server | >= 9.11.0+incompatible < 9.11.17+incompatible | 9.11.17+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250529054450-d38c27f96fcf | 8.0.0-20250529054450-d38c27f96fcf |
| mattermost | mattermost | 10.5.0 – 10.5.7 | — |
| mattermost | mattermost | 10.7.0 – 10.7.3 | — |
| mattermost | mattermost | 10.8.0 – 10.8.1 | — |
| mattermost | mattermost | 9.11.0 – 9.11.16 | — |
| mattermost | mattermost_server | >= 10.5.0 < 10.5.8 | 10.5.8 |
| mattermost | mattermost_server | >= 10.7.0 < 10.7.4 | 10.7.4 |
| mattermost | mattermost_server | >= 10.8.0 < 10.8.2 | 10.8.2 |
| mattermost | mattermost_server | >= 9.11.0 < 9.11.17 | 9.11.17 |