CVE-2025-25279

CRITICAL

Mattermost <10.4.1-10.3.2-10.2.2 - Info Disclosure

Title source: llm

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Exploits (2)

nomisec WRITEUP 4 stars

by numanturle · poc

https://github.com/numanturle/CVE-2025-25279

View Code ZIP pw:eip

github WORKING POC

by Abokor-creator · shellpoc

https://github.com/Abokor-creator/CVE-2025-25279-Mattermost-Path-Traversal

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.6120

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

mattermost/mattermost 0 - 8.0.0-20250122165010-4ed702ccff4eGo

mattermost/mattermost_server 9.11.0 - 9.11.8

Published Feb 24, 2025

Tracked Since Feb 18, 2026