CVE-2025-25279

CRITICAL

Mattermost <10.4.1-10.3.2-10.2.2 - Info Disclosure

Title source: llm

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Exploits (1)

nomisec WRITEUP 4 stars

by numanturle · poc

https://github.com/numanturle/CVE-2025-25279

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.2929

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-22

Status published

Affected Products (2)

mattermost/mattermost_server < 9.11.8

mattermost/mattermost < 8.0.0-20250122165010-4ed702ccff4eGo

Timeline

Published Feb 24, 2025

Tracked Since Feb 18, 2026