CVE-2025-4981

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-4981

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4981.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-4981

Aliases

Downstream

openSUSE-SU-2025:15405-1

Related

openSUSE-SU-2025:15405-1

Published

2025-06-20T11:15:20.993Z

Modified

2026-03-12T02:19:13.158681521Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type: GIT
Repo: https://github.com/mattermost/mattermost-server
Events: Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

96fdd2b677f28d1375df8dfa88bbc519f32bb3b6

Introduced

58bd34fd34cbd7d3da777d627b6cffdf8a532930

Fixed

2c4a9f9d49d9a6aa94b073e8871ff67e95f8984e

Introduced

5eebc77b68c0c2b63103316e3c92342c13fd93f9

Fixed

303cb88e93f0426657feb473b323d9e22dc0e43c

Introduced

f6b324a9d71843e8f48eba9e90dfbeabcbac1ae7

Fixed

5521da96cf8e84ff3f249ff0e3599d131c05e850

Affected versions

@mattermost/client@10.*

@mattermost/client@10.5.0

@mattermost/client@10.6.0

@mattermost/client@10.7.0

@mattermost/client@9.*

@mattermost/client@9.11.0

@mattermost/types@10.*

@mattermost/types@10.5.0

@mattermost/types@10.6.0

@mattermost/types@10.7.0

@mattermost/types@9.*

@mattermost/types@9.11.0

mattermost-redux@10.*

mattermost-redux@10.6.0

mattermost-redux@10.7.0

v10.*

v10.5.0

v10.5.0-rc6

v10.5.1

v10.5.1-rc1

v10.5.1-rc2

v10.5.2

v10.5.3

v10.5.3-rc1

v10.5.4

v10.5.4-rc1

v10.5.4-rc2

v10.5.5

v10.5.5-rc1

v10.6.0

v10.6.0-rc3

v10.6.1

v10.6.2

v10.6.2-rc1

v10.6.3

v10.6.3-rc1

v10.6.4

v10.6.4-rc1

v10.6.5

v10.7.0

v10.7.0-rc2

v10.7.1

v10.7.2

v10.7.2-rc1

v9.*

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.10

v9.11.10-rc1

v9.11.11

v9.11.11-rc1

v9.11.12

v9.11.12-rc1

v9.11.13

v9.11.13-rc1

v9.11.14

v9.11.15

v9.11.2

v9.11.2-rc1

v9.11.2-rc2

v9.11.3

v9.11.3-rc1

v9.11.3-rc2

v9.11.4

v9.11.4-rc1

v9.11.5

v9.11.5-rc1

v9.11.6

v9.11.6-rc1

v9.11.6-rc2

v9.11.7

v9.11.7-rc1

v9.11.7-rc2

v9.11.7-rc3

v9.11.8

v9.11.9

v9.11.9-rc1

v9.11.9-rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4981.json"