CVE-2025-25279

CRITICAL

Mattermost <10.4.1-10.3.2-10.2.2 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-25279. PoCs published by numanturle, AbokorMAHAMMADMOUSSE, Abokor-creator.

AI-analyzed exploit summary This repository provides a detailed writeup and HTTP request examples for CVE-2025-25279, an arbitrary file read vulnerability in Mattermost Boards. The exploit involves manipulating the fileId parameter during board block operations to access sensitive files.

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Exploits (3)

nomisec WRITEUP 4 stars
by numanturle · poc
https://github.com/numanturle/CVE-2025-25279

This repository provides a detailed writeup and HTTP request examples for CVE-2025-25279, an arbitrary file read vulnerability in Mattermost Boards. The exploit involves manipulating the fileId parameter during board block operations to access sensitive files.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mattermost (versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2)
Auth required
Prerequisites: Access to Mattermost Boards · Valid authentication credentials · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by AbokorMAHAMMADMOUSSE · shellpoc
https://github.com/AbokorMAHAMMADMOUSSE/CVE-2025-25279-Mattermost-Path-Traversal

This repository contains a functional exploit for CVE-2025-25279, a path traversal vulnerability in Mattermost 10.4.1's Focalboard plugin. The exploit allows authenticated users to exfiltrate arbitrary files (e.g., /etc/passwd, config.json) via crafted attachment requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mattermost 10.4.1 (Focalboard plugin)
Auth required
Prerequisites: authenticated Mattermost account · Personal Access Token (PAT) · Focalboard plugin enabled
devstral-2 · analyzed Apr 26, 2026 Full analysis →
github WORKING POC
by Abokor-creator · shellpoc
https://github.com/Abokor-creator/CVE-2025-25279-Mattermost-Path-Traversal

This repository contains a functional exploit for CVE-2025-25279, a path traversal vulnerability in Mattermost 10.4.1's Focalboard plugin. The exploit allows authenticated users to exfiltrate arbitrary files (e.g., /etc/passwd, config.json) by manipulating attachment paths in Focalboard cards.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mattermost 10.4.1 (Focalboard plugin)
Auth required
Prerequisites: Mattermost 10.4.1 instance · Valid Personal Access Token (PAT) · Focalboard plugin enabled
devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.9
EPSS 0.5909
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
mattermost/mattermost 0 - 8.0.0-20250122165010-4ed702ccff4eGo
mattermost/mattermost_server 9.11.0 - 9.11.8
Published Feb 24, 2025
Tracked Since Feb 18, 2026