First published: Fri Mar 21 2025(Updated: )
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
Credit: responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost | <=10.4.2<=10.3.3<=9.11.8 | |
Mattermost | >=9.11.0<9.11.9 | |
Mattermost | >=10.3.0<10.3.4 | |
Mattermost | >=10.4.0<10.4.3 | |
go/github.com/mattermost/mattermost/server/v8 | =10.5.0 | 10.5.1 |
go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.9 | 9.11.9 |
go/github.com/mattermost/mattermost/server/v8 | >=10.3.0<10.3.4 | 10.3.4 |
go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.3 | 10.4.3 |
>=9.11.0<9.11.9 | ||
>=10.3.0<10.3.4 | ||
>=10.4.0<10.4.3 |
Update Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-25274 is considered a high severity vulnerability due to its potential for unauthorized command execution in archived channels.
To fix CVE-2025-25274, upgrade your Mattermost version to 10.4.3, 10.3.4, or 9.11.9 or later.
CVE-2025-25274 affects Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, and 9.11.x up to and including 9.11.8.
CVE-2025-25274 exploits a failure to restrict command execution in archived channels, allowing authenticated users to run commands they shouldn't be able to.
You should assess your Mattermost version to determine if it falls within the affected versions outlined in CVE-2025-25274.