CVE-2025-49222

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.10.0:-:*:*:*:*:*:*

History

17 Jun 2026, 09:30

Type Values Removed Values Added
CPE cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.10.0:-:*:*:*:*:*:*
First Time Mattermost mattermost Server
Mattermost
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory

22 Aug 2025, 18:09

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mattermost 10.8.x &lt;= 10.8.3, 10.5.x &lt;= 10.5.8, 9.11.x &lt;= 9.11.17, 10.9.x &lt;= 10.9.2, 10.10.x &lt;= 10.10.0 no pueden validar los tipos de carga en sesiones de carga de clúster remoto, lo que permite que un administrador del sistema cargue tipos de archivos no adjuntos a través de canales compartidos que potencialmente podrían ubicarse en directorios arbitrarios del sistema de archivos.

21 Aug 2025, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-08-21 08:15

Updated : 2026-06-17 09:30


NVD link : CVE-2025-49222

Mitre link : CVE-2025-49222

CVE.ORG link : CVE-2025-49222


JSON object : View

Products Affected

mattermost

  • mattermost_server
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type