CVE-2025-25279: Mattermost allows reading arbitrary files related to importing boards
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
References
- github.com/advisories/GHSA-5fwx-p6xh-vjrh
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost-plugin-boards/commit/025ce8d363a054473bc002f43f602a4032d38c06
- github.com/mattermost/mattermost/commit/4ed702ccff4ec3c9eff832a9b6060f9f4454141d
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-25279
Code Behaviors & Features
Detect and mitigate CVE-2025-25279 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →