Mattermost Releases Fixes for Critical Vulnerabilities (CVE-2025-25279, CVE-2025-20051, & CVE-2025-24490)

Posted by Author Diksha Ojha on Posted on

Mattermost has addressed three critical security vulnerabilities impacting its Boards plugin. The vulnerabilities are tracked as CVE-2025-20051, CVE-2025-24490, and CVE-2025-25279. Successful exploitation of the vulnerabilities may allow attackers to read arbitrary files on the system and execute SQL injection attacks.

Mattermost is an open-source, self-hosted team communication and collaboration platform that helps teams communicate, organize, and work together on projects. The platform is designed to be secure, flexible, and scalable. The platform accelerates workflows across people, tools, and processes.

CVE-2025-25279

The vulnerability has a critical severity rating with a CVSS score of 9.9. An attacker may exploit the vulnerability to read any arbitrary file on the system by importing and exporting a specially crafted import archive in Boards. The vulnerability only impacts the Mattermost instances with Boards enabled.

CVE-2025-20051

The vulnerability has a critical severity rating with a CVSS score of 9.9. An attacker may exploit the vulnerability to read any arbitrary file on the system by duplicating a specially crafted block in Boards. The vulnerability only impacts the Mattermost instances with Boards enabled.

CVE-2025-24490

The vulnerability has a critical severity rating with a CVSS score of 9.6. An attacker may exploit the vulnerability to cause an SQL injection attack to retrieve data from the database by reordering specially crafted board categories. The vulnerability only impacts the Mattermost instances with Boards enabled.

Affected Versions

  • Mattermost all versions up to 10.4.x and including 10.4.1
  • Mattermost all versions up to 9.11.x and including 9.11.7
  • Mattermost all versions up to 10.3.x and including 10.3.2
  • Mattermost all versions up to 10.2.x and including 10.2.2

Mitigation

Customers must upgrade to the following versions to patch the vulnerabilities:

  • 10.5.0
  • 10.4.2
  • 9.11.8
  • 10.3.3
  • 10.2.3

For more information, please refer to the Mattermost Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QIDs 732286 and 152785 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://mattermost.com/security-updates/

Leave a Reply

Your email address will not be published. Required fields are marked *