CVE-2025-20051: Mattermost allows reading arbitrary files
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
References
- github.com/advisories/GHSA-v469-7wp6-7cvp
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost-plugin-boards/commit/025ce8d363a054473bc002f43f602a4032d38c06
- github.com/mattermost/mattermost/commit/4ed702ccff4ec3c9eff832a9b6060f9f4454141d
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-20051
Detect and mitigate CVE-2025-20051 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →