Date of Disclosure (source): January 23, 2025 (Published to NVD on February 24, 2025)
Three critical vulnerabilities have been identified in Mattermost, an open-source collaboration platform offering features similar to Slack or Microsoft Teams, including channels, direct messaging, DevOps integrations, playbooks and boards for task management.
These vulnerabilities specifically affect the boards feature in Mattermost, potentially exposing applications to arbitrary file reads and SQL injection attacks. Below is a breakdown of the vulnerabilities:
- CVE-2025-00051 – Arbitrary File Read via Board Duplication
Due to improper input validation when duplicating a board, an attacker may insert a malicious block that allows them to read arbitrary files on the server.
- CVE-2025-24490 – SQL Injection via Board Reordering
Mattermost fails to use prepared statements when executing SQL queries or reordering boards, enabling attackers to inject SQL commands to retrieve or manipulate database data.
- CVE-2025-25279 – Arbitrary File Read via Board Import
Inadequate validation of board blocks when importing boards allows an attacker to reference system files within a specially crafted archive, leading to unauthorized file access.
Patches have been released by Mattermost to address each of these vulnerabilities. At the time of writing, there is no knowledge of active exploitation of these vulnerabilities or any public exploit code available.
| Field |
Details |
| CVE-ID |
- CVE-2025-00051 – CVSS 9.9 (critical) – assigned by Mattermost
- CVE-2025-24490 – CVSS 9.6 (critical) – assigned by Mattermost
- CVE-2025-25279 – CVSS 9.9 (critical) – assigned by Mattermost
|
| Vulnerability Description |
- CVE-2025-00051 – Mattermost does not properly validate input while duplicating a board, allowing an attacker to read arbitrary files by inserting a malicious block that is then processed in an unintended way.
- CVE-2025-24490 – Mattermost does not use prepared statements when executing SQL queries for reordering boards, allowing an attacker to inject SQL commands.
- CVE-2025-25279 – Mattermost does not properly validate board blocks when importing boards, allowing an attacker to include references to system files in an imported archive.
|
| Date of Disclosure |
January 23, 2025 (Published to NVD on February 24, 2025) |
| Affected Assets |
- CVE-2025-00051 – Mattermost boards (when duplicating boards)
- CVE-2025-24490 – Mattermost boards (when reordering boards)
- CVE-2025-25279 – Mattermost board blocks (when importing boards)
|
| Vulnerable Software Versions |
All three vulnerabilities affect the same Mattermost versions:
- 10.4.x ≤ 10.4.1
- 9.11.x ≤ 9.11.7
- 10.3.x ≤ 10.3.2
- 10.2.x ≤ 10.2.2
|
| PoC Available? |
We did not observe any public exploits available at the time of writing. |
| Exploitation Status |
We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. |
| Patch Status |
These vulnerabilities have been fixed in the following Mattermost versions:
- 10.4.x ≤ 10.4.1 – fixed in 10.4.2
- 9.11.x ≤ 9.11.7 – fixed in 9.11.8
- 10.3.x ≤ 10.3.2 – fixed in 10.3.3
- 10.2.x ≤ 10.2.2 – fixed in 10.2.3
|
Censys Perspective
At the time of writing, Censys observed 166,645 Mattermost applications, 4,564 of which were exposing a vulnerable version. The other exposed applications also displayed versions, but they were either patched or outside the affected version ranges listed above. See the table below for the eight vulnerable versions we saw exposed:
| Version |
Host Count |
| 9.11.0 |
2418 |
| 9.11.2 |
952 |
| 9.11.6 |
587 |
| 9.11.1 |
297 |
| 9.11.5 |
107 |
| 9.11.7 |
77 |
| 9.11.4 |
65 |
| 9.11.3 |
61 |
Map of EXPOSED hosts that are POTENTIALLY VULNERABLE:
Censys Search Query:
services.software: (product="Mattermost") and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software.product="Mattermost" and not host.labels: {honeypot, tarpit}
Risk:
risks.name = "Vulnerable Mattermost [CVE-2025-20051, CVE-2025-25279, & CVE-2025-24490]"
References
