Critical Mattermost Flaw (CVE-2025-4981, CVSS 9.9) Allows RCE Via Path Traversal

Open-source collaboration platform Mattermost is exposed to a severe vulnerability that threatens the integrity of its deployments worldwide. Tracked as CVE-2025-4981, this critical flaw (CVSS 9.9) allows authenticated users to write files to arbitrary locations on the host system—opening the door to remote code execution.

Mattermost is a widely adopted, open-source team messaging and collaboration platform designed for enterprise-grade internal communications. Often seen as a self-hosted alternative to Slack and Microsoft Teams, Mattermost emphasizes privacy, flexibility, and integration with third-party tools. It’s commonly used by organizations handling sensitive data, including financial firms, healthcare providers, and government agencies.

At the core of CVE-2025-4981 is a path traversal bug in Mattermost’s archive extractor component. Affected versions include:

10.5.x ≤ 10.5.5
9.11.x ≤ 9.11.15
10.8.x ≤ 10.8.0
10.7.x ≤ 10.7.2
10.6.x ≤ 10.6.5

The issue arises from improper sanitization of filenames when users upload compressed archive files (such as .zip or .tar.gz). An attacker with valid credentials can upload an archive containing files with malicious path traversal sequences (e.g., ../../../etc/passwd), causing the application to extract those files outside the intended directory.

If the targeted instance has the following settings enabled—which they are by default:

FileSettings.EnableFileAttachments = true
FileSettings.ExtractContent = true

—then the attacker can effectively plant files in critical filesystem locations, potentially executing arbitrary code or escalating privileges within the environment.

The Mattermost team has issued security updates addressing CVE-2025-4981. All administrators are strongly advised to upgrade to the latest stable versions that patch the affected archive extraction behavior.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply