CVE-2025-9079: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path…

high7.2CVSS 3.1

AVNACLPRHUINSUCHIHAH

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

Affected

21 ranges

Vendor	Product	Version range	Fixed in
github.com	mattermost_mattermost-server	>= 10.10.0 < 10.10.2	10.10.2
github.com	mattermost_mattermost-server	>= 10.10.0+incompatible < 10.10.2+incompatible	10.10.2+incompatible
github.com	mattermost_mattermost-server	>= 10.5.0 < 10.5.9	10.5.9
github.com	mattermost_mattermost-server	>= 10.5.0+incompatible < 10.5.9+incompatible	10.5.9+incompatible
github.com	mattermost_mattermost-server	>= 10.8.0 < 10.8.4	10.8.4
github.com	mattermost_mattermost-server	>= 10.8.0+incompatible < 10.8.4+incompatible	10.8.4+incompatible
github.com	mattermost_mattermost-server	>= 10.9.0 < 10.9.4	10.9.4
github.com	mattermost_mattermost-server	>= 10.9.0+incompatible < 10.9.4+incompatible	10.9.4+incompatible
github.com	mattermost_mattermost-server	>= 9.11.0 < 9.11.18	9.11.18
github.com	mattermost_mattermost-server	>= 9.11.0+incompatible < 9.11.18+incompatible	9.11.18+incompatible
github.com	mattermost_mattermost_server_v8	>= 0 < 8.0.0-20250707221302-a8fa77f107ef	8.0.0-20250707221302-a8fa77f107ef
mattermost	mattermost	10.10.0 – 10.10.1	—
mattermost	mattermost	10.5.0 – 10.5.8	—
mattermost	mattermost	10.8.0 – 10.8.3	—
mattermost	mattermost	10.9.0 – 10.9.3	—
mattermost	mattermost	9.11.0 – 9.11.17	—
mattermost	mattermost_server	>= 10.10.0 < 10.10.2	10.10.2
mattermost	mattermost_server	>= 10.5.0 < 10.5.9	10.5.9
mattermost	mattermost_server	>= 10.8.0 < 10.8.4	10.8.4
mattermost	mattermost_server	>= 10.9.0 < 10.9.4	10.9.4
mattermost	mattermost_server	>= 9.11.0 < 9.11.18	9.11.18