CVE-2025-9079

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.10.x through 10.10.1 Mattermost versions 10.9.x through 10.9.3 Mattermost versions prior to 10.10.2

Description The Mattermost server fails to properly validate the import directory path configuration. This allows administrator users to potentially execute arbitrary code by uploading a malicious plugin to the prepackaged plugins directory. The issue is a path traversal, enabling unauthorized access and code execution.

Recommendations Mattermost versions 10.8.x through 10.8.3 should be updated to a version later than 10.8.3. Mattermost versions 10.5.x through 10.5.8 should be updated to a version later than 10.5.8. Mattermost versions 9.11.x through 9.11.17 should be updated to a version later than 9.11.17. Mattermost versions 10.10.x through 10.10.1 should be updated to a version later than 10.10.1. Mattermost versions 10.9.x through 10.9.3 should be updated to a version later than 10.9.3. Mattermost versions prior to 10.10.2 should be updated to version 10.10.2 or later.