GHSA-qh58-9v3j-wcjc: Mattermost allows authenticated users to write files to arbitrary locations

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-4981

Mattermost allows authenticated users to write files to arbitrary locations

Critical severity GitHub Reviewed Published Jun 20, 2025 to the GitHub Advisory Database • Updated Jun 20, 2025

Package

gomod github.com/mattermost/mattermost-server (Go)

Affected versions

< 0.0.0-20250519205859-65aec10162f6

Patched versions

0.0.0-20250519205859-65aec10162f6

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250519205859-65aec10162f6

>= 10.5.0, <= 10.5.5

>= 9.11.0, <= 9.11.15

= 10.8.0

>= 10.7.0, <= 10.7.2

>= 10.6.0, <= 10.6.5

8.0.0-20250519205859-65aec10162f6

10.5.6

9.11.16

10.8.1

10.7.3

10.6.6

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-4981
• https://mattermost.com/security-updates
• mattermost/mattermost@65aec10

Published to the GitHub Advisory Database

Jun 20, 2025

Last updated

Jun 20, 2025