CVE-2025-4981

CRITICAL LAB

Mattermost Server < 9.11.16 - Uncontrolled Search Path

Title source: rule

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-4981

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.0063

EPSS Percentile 70.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

vulnerable

docker pull ghcr.io/exploitintel/cve-2025-4981-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-427

Status published

Affected Products (7)

mattermost/mattermost_server < 9.11.16

mattermost/mattermost_server

mattermost/mattermost-server < 0.0.0-20250519205859-65aec10162f6Go

mattermost/mattermost < 8.0.0-20250519205859-65aec10162f6Go

Timeline

Published Jun 20, 2025

Tracked Since Feb 18, 2026