CVE-2025-4981: Mattermost allows authenticated users to write files to arbitrary locations

June 20, 2025

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

References

github.com/advisories/GHSA-qh58-9v3j-wcjc
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/65aec10162f612d98edf91cc66bf7e781868448b
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-4981

Code Behaviors & Features

Detect and mitigate CVE-2025-4981 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →