GHSA-gq3r-5833-5532

Source

https://github.com/advisories/GHSA-gq3r-5833-5532

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gq3r-5833-5532/GHSA-gq3r-5833-5532.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gq3r-5833-5532

Aliases

CVE-2025-36530

Published

2025-08-21T09:30:21Z

Modified

2025-08-21T15:57:22.475362Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Mattermost Fails to Validate File Paths

Details

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2025-08-21T15:02:22Z",
    "nvd_published_at": "2025-08-21T07:15:29Z"
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.9.0

Fixed

10.9.2

Database specific

{
    "last_known_affected_version_range": "<= 10.9.1"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.8.0

Fixed

10.8.4

Database specific

{
    "last_known_affected_version_range": "<= 10.8.3"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.9

Database specific

{
    "last_known_affected_version_range": "<= 10.5.8"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.18

Database specific

{
    "last_known_affected_version_range": "<= 9.11.17"
}

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250619095651-9dd0b3943e55