CVE-2025-49222

Published: Aug 21, 2025Modified: Aug 25, 2025

6.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Exploitability: 2.3 / Impact: 4.0

Source: NVD

Description

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

Affected (5)

Products: Mattermost: Mattermost Server

Mattermost

1 product

Mattermost Server

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Mattermost Mattermost Server	From 10.5.0 to 10.5.9
Mattermost Mattermost Server	From 10.8.0 to 10.8.4
Mattermost Mattermost Server	From 10.9.0 to 10.9.3
Mattermost Mattermost Server	From 9.11.0 to 9.11.18
Mattermost Mattermost Server	Version 10.10.0

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

https://mattermost.com/security-updates

Source: responsibledisclosure@mattermost.com

Vendor Advisory

Timeline

No history available yet.