How to fix CVE-2025-4981?

Within 24 hours: Disable file attachments (FileSettings.EnableFileAttachments = false) or disable content extraction (FileSettings.ExtractContent = false) as an interim measure, and audit recent file uploads for suspicious activity. Within 7 days: Upgrade to patched versions (10.5.6+, 9.11.16+, 10.8.1+, 10.7.3+, 10.6.6+) or implement network-level controls to restrict Mattermost access to trusted users only. Within 30 days: Complete the upgrade, re-enable features if necessary, and conduct a full security assessment of affected instances.

Is Mattermost Server affected by CVE-2025-4981?

A critical vulnerability in Mattermost allows authenticated users to execute arbitrary code on affected servers by uploading specially crafted archive files.

CVE-2025-4981

EUVD-2025-28315 CRITICAL

2025-06-20 [email protected]

GHSA-qh58-9v3j-wcjc

9.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-28315

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

CVE Published

Jun 20, 2025 - 11:15 nvd

CRITICAL 9.9

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Analysis

A remote code execution vulnerability (CVSS 9.9) that allows authenticated users. Critical severity with potential for significant impact on affected systems.

Technical Context

CWE-427 (Uncontrolled Search Path). CVSS 9.9 indicates critical severity with likely remote exploitation vector.

Affected Products

['Unspecified product']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.6

CVSS: +50

POC: 0

Vendor Status

Debian

Bug #823556

mattermost-server

Release	Status	Fixed Version	Urgency
	open	-	-

CVE-2025-4981 vulnerability details – vuln.today

Back

CVE-2025-4981

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

CVE-2025-4981

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code