GHSA-qh58-9v3j-wcjc

Source

https://github.com/advisories/GHSA-qh58-9v3j-wcjc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qh58-9v3j-wcjc/GHSA-qh58-9v3j-wcjc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qh58-9v3j-wcjc

Aliases

Published

2025-06-20T12:30:53Z

Modified

2025-07-28T20:42:05.354742Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Mattermost allows authenticated users to write files to arbitrary locations

Details

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Database specific

{
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-06-20T16:38:01Z",
    "nvd_published_at": "2025-06-20T11:15:20Z",
    "cwe_ids": [
        "CWE-427"
    ],
    "github_reviewed": true
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20250519205859-65aec10162f6

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250519205859-65aec10162f6

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.6

Database specific

{
    "last_known_affected_version_range": "<= 10.5.5"
}

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.16

Database specific

{
    "last_known_affected_version_range": "<= 9.11.15"
}

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.8.0

Fixed

10.8.1

Affected versions

10.*

10.8.0

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.7.0

Fixed

10.7.3

Database specific

{
    "last_known_affected_version_range": "<= 10.7.2"
}

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.6.0

Fixed

10.6.6

Database specific

{
    "last_known_affected_version_range": "<= 10.6.5"
}