PT-2025-12410 · Mattermost · Mattermost

Hackit_Bharat

Published

2025-03-21

Updated

2025-03-28

CVE-2025-25274

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.8 Mattermost versions 10.3.x through 10.3.3 Mattermost versions 10.4.x through 10.4.2

Description The issue allows authenticated users to execute commands in archived channels, as the affected versions of Mattermost fail to restrict command execution in such channels.

Recommendations For versions 9.11.x through 9.11.8, restrict access to archived channels to prevent command execution. For versions 10.3.x through 10.3.3, consider disabling command execution in archived channels until a fix is available. For versions 10.4.x through 10.4.2, avoid using archived channels for sensitive operations until the issue is resolved.

Fix

Command Injection

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-863

Related Identifiers

BIT-MATTERMOST-2025-25274

CVE-2025-25274

GHSA-4V65-XQCJ-WPGG

GO-2025-3550

OPENSUSE-SU-2025:14937-1

Affected Products

Mattermost

PT-2025-12410 · Mattermost · Mattermost

CVE-2025-25274

Weakness Enumeration

Related Identifiers

Affected Products

References · 44