Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.
Product(s):
- MATTERMOST > mattermost 10.*.*
- MATTERMOST > mattermost 9.*.*
- Mattermost Server
- Mattermost Server 10.5.0
- Mattermost Server 10.5.0 Release Candidate 1
- Mattermost Server 10.5.0 Release Candidate 2
- Mattermost Server 10.5.0 Release Candidate 3
- Mattermost Server 10.5.0 Release Candidate 4
- Mattermost Server 10.5.0 Release Candidate 5
- Mattermost Server 10.5.0 Release Candidate 6
- Mattermost Server 10.5.1
- Mattermost Server 10.5.1 Release Candidate 1
- Mattermost Server 10.5.1 Release Candidate 2
- Mattermost Server 10.5.2
- Mattermost Server 10.5.3
- Mattermost Server 10.5.3 Release Candidate 1
- Mattermost Server 10.5.4
- Mattermost Server 10.5.4 Release Candidate 1
- Mattermost Server 10.5.4 Release Candidate 2
- Mattermost Server 10.5.5
- Mattermost Server 10.5.5 Release Candidate 1
- Mattermost Server 10.6.0
- Mattermost Server 10.6.0 Release Candidate 1
- Mattermost Server 10.6.0 Release Candidate 2
- Mattermost Server 10.6.0 Release Candidate 3
- Mattermost Server 10.6.1
- Mattermost Server 10.6.2
- Mattermost Server 10.6.2 Release Candidate 1
- Mattermost Server 10.6.3
- Mattermost Server 10.6.3 Release Candidate 1
- Mattermost Server 10.6.4
- Mattermost Server 10.6.4 Release Candidate 1
- Mattermost Server 10.6.5
- Mattermost Server 10.7.0
- Mattermost Server 10.7.0 Release Candidate 1
- Mattermost Server 10.7.0 Release Candidate 2
- Mattermost Server 10.7.1
- Mattermost Server 10.7.2
- Mattermost Server 10.7.2 Release Candidate 1
- Mattermost Server 10.8.0
- Mattermost Server 10.8.0 Release Candidate 1
- Mattermost Server 10.8.0 Release Candidate 2
- Mattermost Server 10.8.0 Release Candidate 3
- Mattermost Server 9.11.0
- Mattermost Server 9.11.0
- Mattermost Server 9.11.0 Release Candidate 1
- Mattermost Server 9.11.0 Release Candidate 2
- Mattermost Server 9.11.0 Release Candidate 3
- Mattermost Server 9.11.10
- Mattermost Server 9.11.10 Release Candidate 1
- Mattermost Server 9.11.11
- Mattermost Server 9.11.11 Release Candidate 1
- Mattermost Server 9.11.12
- Mattermost Server 9.11.12 Release Candidate 1
- Mattermost Server 9.11.13
- Mattermost Server 9.11.13 Release Candidate 1
- Mattermost Server 9.11.14
- Mattermost Server 9.11.15
- Mattermost Server 9.11.1
- Mattermost Server 9.11.1 Release Candidate 1
- Mattermost Server 9.11.2
- Mattermost Server 9.11.2 Release Candidate 1
- Mattermost Server 9.11.2 Release Candidate 2
- Mattermost Server 9.11.3
- Mattermost Server 9.11.3 Release Candidate 1
- Mattermost Server 9.11.3 Release Candidate 2
- Mattermost Server 9.11.4
- Mattermost Server 9.11.4 Release Candidate 1
- +9 additional
Question to Ask Vendors:
- Have you updated all instances of Mattermost to versions beyond 10.5.5, 9.11.15, 10.8.0, 10.7.2, and 10.6.5 to mitigate the risk of CVE-2025-4981?
- Can you confirm if the FileSettings.EnableFileAttachments and FileSettings.ExtractContent configuration options are enabled in your Mattermost instances? If so, have you considered disabling the ExtractContent feature to reduce the attack surface?
- Have you implemented stricter file type validation and scanning of uploaded archives for suspicious or nested path traversal sequences before extraction to prevent potential exploitation of the Arbitrary File Write vulnerability in Mattermost?
- Are you monitoring logs for unusual archive names or file write activity outside expected paths and integrating with SIEM platforms for alerting on suspicious patterns to detect potential exploitation of the Arbitrary File Write vulnerability in Mattermost?
Recommended Actions:
- Audit Configuration Settings: Review the Mattermost configuration, particularly the `EnableFileAttachments` and `ExtractContent` settings under `FileSettings`. If content extraction is not business-critical, consider disabling `ExtractContent` to reduce the attack surface.
- Conduct Security Testing and Code Review: Periodically perform security assessments focused on file handling and input sanitization. Review custom plugins or extensions for similar flaws in archive processing or file path handling.
- Deploy Web Application Firewall (WAF): Use a WAF to detect and block file uploads containing potentially malicious path traversal patterns (e.g., `../`). Configure the WAF with custom rules targeting archive file uploads to prevent exploitation.
- Enable Logging and Monitor File Activity: Ensure detailed logging of file uploads and extraction operations is enabled. Monitor logs for unusual archive names or file write activity outside expected paths. Integrate with SIEM platforms for alerting on suspicious patterns.
- Implement Application Hardening: Run the Mattermost server with reduced privileges and apply filesystem permissions that prevent the application from writing to sensitive or executable directories. Use chroot jails or containers to further isolate file handling operations.
- Restrict File Upload Capabilities: Limit file upload functionality to trusted users or groups where feasible. Enforce stricter file type validation and scan uploaded archives for suspicious or nested path traversal sequences before extraction.
- Restrict Network and Role-Based Access: Ensure Mattermost services are not exposed to unnecessary networks and that only authenticated, authorized users can upload files. Apply the principle of least privilege in assigning user roles and capabilities.
- Stay Informed: Subscribe to Mattermost security advisories and monitor CVE databases for updates on related vulnerabilities. Track configuration best practices and apply security patches promptly to limit exposure to future threats.
- Upgrade Affected Systems: Immediately upgrade Mattermost to patched versions beyond 10.5.5, 9.11.15, 10.8.0, 10.7.2, and 10.6.5. These updates address the path traversal vulnerability in the archive extraction logic that could allow authenticated users to write files to arbitrary locations, potentially leading to remote code execution.