CVE-2025-4981

CRITICAL LAB

Mattermost Server < 9.11.16 - Uncontrolled Search Path

Title source: rule

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-4981

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.0169

EPSS Percentile 82.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-4981-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull mattermost/mattermost-team-edition:9.11.15

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-427

Status published

Products (4)

mattermost/mattermost 0 - 8.0.0-20250519205859-65aec10162f6Go

mattermost/mattermost-server 0 - 0.0.0-20250519205859-65aec10162f6Go

mattermost/mattermost_server 10.8.0 (4 CPE variants)

mattermost/mattermost_server 9.11.0 - 9.11.16

Published Jun 20, 2025

Tracked Since Feb 18, 2026