Open-source collaboration platform Mattermost is exposed to a severe vulnerability that threatens the integrity of its deployments worldwide. Tracked as CVE-2025-4981, this critical flaw (CVSS 9.9) allows authenticated users to write files to arbitrary locations on the host systemβopening the door to remote code execution.
Mattermost is a widely adopted, open-source team messaging and collaboration platform designed for enterprise-grade internal communications. Often seen as a self-hosted alternative to Slack and Microsoft Teams, Mattermost emphasizes privacy, flexibility, and integration with third-party tools. Itβs commonly used by organizations handling sensitive data, including financial firms, healthcare providers, and government agencies.
At the core of CVE-2025-4981 is a path traversal bug in Mattermostβs archive extractor component. Affected versions include:
10.5.x β€ 10.5.59.11.x β€ 9.11.1510.8.x β€ 10.8.010.7.x β€ 10.7.210.6.x β€ 10.6.5The issue arises from improper sanitization of filenames when users upload compressed archive files (such as .zip or .tar.gz). An attacker with valid credentials can upload an archive containing files with malicious path traversal sequences (e.g., ../../../etc/passwd), causing the application to extract those files outside the intended directory.
If the targeted instance has the following settings enabledβwhich they are by default:
FileSettings.EnableFileAttachments = trueFileSettings.ExtractContent = trueβthen the attacker can effectively plant files in critical filesystem locations, potentially executing arbitrary code or escalating privileges within the environment.
The Mattermost team has issued security updates addressing CVE-2025-4981. All administrators are strongly advised to upgrade to the latest stable versions that patch the affected archive extraction behavior.