CVE-2025-2424: Mattermost Incorrect Authorization vulnerability

April 14, 2025 (updated April 23, 2025)

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

References

github.com/advisories/GHSA-wwhj-pw6h-f8hw
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/68c11e9ecb7129f7d3e0e67277f0a5924a8cbe06
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-2424
pkg.go.dev/vuln/GO-2025-3611

Code Behaviors & Features

Detect and mitigate CVE-2025-2424 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →