← back
CVE-2025-25279

Arbitrary file read in Mattermost Boards via import & export board archive

CVSS 9.9 CRITICALEPSS 20.8%CWE-22
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Mattermost · Mattermost
public PoCs found2
githubgithub.com/numanturle/CVE-2025-252794githubgithub.com/AbokorMAHAMMADMOUSSE/CVE-2025-25279-Mattermost-Path-Traversal0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://mattermost.com/security-updates