CVE-2025-25279

CVE-2025-25279 affects Mattermost versions 10.4.x up to and including 10.4.1, 9.11.x up to 9.11.7, 10.3.x up to 10.3.2, and 10.2.x up to 10.2.2. The vulnerability arises from a failure to properly validate board blocks when importing boards in the Boards feature, classified under CWE-22 (Path Traversal). This flaw allows an attacker to read arbitrary files on the system by importing and then exporting a specially crafted import archive. It carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-02-24.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By creating a malicious board import archive, the attacker imports it into a board and exports it, enabling arbitrary file reads on the server. The scope change (S:C) amplifies impact, resulting in high confidentiality, integrity, and availability consequences (C:H/I:H/A:H).

Mitigation details are available in the Mattermost security advisories at https://mattermost.com/security-updates.