Home

Description

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

PUBLISHED Reserved 2025-08-15 | Published 2025-09-19 | Updated 2025-09-20 | Assigner Mattermost




HIGH: 8.0CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

10.8.0 (semver)
affected

10.5.0 (semver)
affected

9.11.0 (semver)
affected

10.10.0 (semver)
affected

10.9.0 (semver)
affected

10.11.0
unaffected

10.8.4
unaffected

10.5.9
unaffected

9.11.18
unaffected

10.10.2
unaffected

10.9.4
unaffected

Credits

daw10 finder

References

mattermost.com/security-updates

cve.org (CVE-2025-9079)

nvd.nist.gov (CVE-2025-9079)

Download JSON