CVE-2025-25279

high-risk

Published 2025-02-24

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Do I need to act?

61.2% chance of exploitation in next 30 days

EPSS score — higher than 39% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 968fc9abd56d51d32880bca2f7cbcdff8c1af68c, e246296facafd47a71e4b88c7f47647214f2712c, 286f59a75888cafe4adf7759df6fb9df71321c2d, dabbe427c192a73527734aec5449a71acbe03535

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Mattermost Server

Affected Vendors

Mattermost

References (1)

Vendor Advisory https://mattermost.com/security-updates

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal