February 25 Advisory: Multiple Critical Vulnerabilities in Mattermost Collaboration Software
Date of Disclosure (source): January 23, 2025 (Published to NVD on February 24, 2025)
Three critical vulnerabilities have been identified in Mattermost, an open-source collaboration platform offering features similar to Slack or Microsoft Teams, including channels, direct messaging, DevOps integrations, playbooks and boards for task management.
These vulnerabilities specifically affect the boards feature in Mattermost, potentially exposing applications to arbitrary file reads and SQL injection attacks. Below is a breakdown of the vulnerabilities:
- CVE-2025-00051 – Arbitrary File Read via Board Duplication
Due to improper input validation when duplicating a board, an attacker may insert a malicious block that allows them to read arbitrary files on the server. - CVE-2025-24490 – SQL Injection via Board Reordering
Mattermost fails to use prepared statements when executing SQL queries or reordering boards, enabling attackers to inject SQL commands to retrieve or manipulate database data. - CVE-2025-25279 – Arbitrary File Read via Board Import
Inadequate validation of board blocks when importing boards allows an attacker to reference system files within a specially crafted archive, leading to unauthorized file access.
Patches have been released by Mattermost to address each of these vulnerabilities. At the time of writing, there is no knowledge of active exploitation of these vulnerabilities or any public exploit code available.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID |
|
|||||
| Vulnerability Description |
|
|||||
| Date of Disclosure | January 23, 2025 (Published to NVD on February 24, 2025) | |||||
| Affected Assets |
|
|||||
| Vulnerable Software Versions | All three vulnerabilities affect the same Mattermost versions:
|
|||||
| PoC Available? | We did not observe any public exploits available at the time of writing. | |||||
| Exploitation Status | We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. | |||||
| Patch Status | These vulnerabilities have been fixed in the following Mattermost versions:
|
|||||
Censys Perspective
At the time of writing, Censys observed 166,645 Mattermost applications, 4,564 of which were exposing a vulnerable version. The other exposed applications also displayed versions, but they were either patched or outside the affected version ranges listed above. See the table below for the eight vulnerable versions we saw exposed:
| Version | Host Count |
|---|---|
| 9.11.0 | 2418 |
| 9.11.2 | 952 |
| 9.11.6 | 587 |
| 9.11.1 | 297 |
| 9.11.5 | 107 |
| 9.11.7 | 77 |
| 9.11.4 | 65 |
| 9.11.3 | 61 |
Map of EXPOSED hosts that are POTENTIALLY VULNERABLE:
services.software: (product="Mattermost") and not labels: {honeypot, tarpit}
host.services.software.product="Mattermost" and not host.labels: {honeypot, tarpit}
risks.name = "Vulnerable Mattermost [CVE-2025-20051, CVE-2025-25279, & CVE-2025-24490]"
