Skip to content

x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qh58-9v3j-wcjc #3769

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qh58-9v3j-wcjc#3769
Assignees
markus-kusano
Labels
triaged
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Jun 20, 2025

Advisory GHSA-qh58-9v3j-wcjc references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server
github.com/mattermost/mattermost-server/v5
github.com/mattermost/mattermost-server/v6
github.com/mattermost/mattermost/server/v8

Description:
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      versions:
        - fixed: 0.0.0-20250519205859-65aec10162f6
      non_go_versions:
        - introduced: TODO (earliest fixed "10.6.6", vuln range ">= 10.6.0, <= 10.6.5")
        - introduced: TODO (earliest fixed "10.7.3", vuln range ">= 10.7.0, <= 10.7.2")
        - introduced: TODO (earliest fixed "10.8.1", vuln range "= 10.8.0")
        - introduced: TODO (earliest fixed "9.11.16", vuln range ">= 9.11.0, <= 9.11.15")
        - introduced: TODO (earliest fixed "10.5.6", vuln range ">= 10.5.0, <= 10.5.5")
    - module: github.com/mattermost/mattermost-server/v5
      vulnerable_at: 5.39.3
    - module: github.com/mattermost/mattermost-server/v6
      vulnerable_at: 6.7.2
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - fixed: 8.0.0-20250519205859-65aec10162f6
summary: Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
cves:
    - CVE-2025-4981
ghsas:
    - GHSA-qh58-9v3j-wcjc
references:
    - advisory: https://github.com/advisories/GHSA-qh58-9v3j-wcjc
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4981
    - fix: https://github.com/mattermost/mattermost/commit/65aec10162f612d98edf91cc66bf7e781868448b
    - web: https://mattermost.com/security-updates
notes:
    - fix: 'module merge error: could not merge versions of module github.com/mattermost/mattermost-server: invalid or non-canonical semver version (found TODO (earliest fixed "10.6.6", vuln range ">= 10.6.0, <= 10.6.5"))'
    - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
    - fix: 'github.com/mattermost/mattermost-server: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-qh58-9v3j-wcjc
    created: 2025-06-20T17:02:53.226689124Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

Labels

triaged

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions