CVE-2025-4981

CRITICAL LAB

Mattermost <=10.5.5, <=9.11.15, <=10.8.0, <=10.7.2, <=10.6.5 - Authenticated Arbitrary File Write via Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4981. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2025-4981, a path traversal vulnerability in Mattermost Server's Upload Session API. The PoC scripts exploit the lack of filename sanitization in the archive extractor to achieve arbitrary file write, with potential for RCE.

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-4981

View Code ZIP pw:eip

This repository contains functional exploit code demonstrating CVE-2025-4981, a path traversal vulnerability in Mattermost Server's Upload Session API. The PoC scripts exploit the lack of filename sanitization in the archive extractor to achieve arbitrary file write, with potential for RCE.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Mattermost Server (versions ≤ 9.11.15, ≤ 10.5.5, ≤ 10.6.5, ≤ 10.7.2, ≤ 10.8.0)

Auth required

Prerequisites: Docker and Docker Compose for lab setup · Authenticated Mattermost user with minimal privileges

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.0169

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-4981-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-427

Status published

Products (4)

mattermost/mattermost 0 - 8.0.0-20250519205859-65aec10162f6Go

mattermost/mattermost-server 0 - 0.0.0-20250519205859-65aec10162f6Go

mattermost/mattermost_server 10.8.0 (4 CPE variants)

mattermost/mattermost_server 9.11.0 - 9.11.16

Published Jun 20, 2025

Tracked Since Feb 18, 2026