Login Sign Up

CVE-2025-25274

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated users to execute slash commands in archived Mattermost channels, bypassing intended restrictions. It affects Mattermost instances running vulnerable versions, requiring user authentication but no special privileges.

💻 Affected Systems

Products:
  • Mattermost
Versions: Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8
Operating Systems: All platforms running Mattermost
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to archived channels

📦 What is this software?

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users could execute unauthorized commands in archived channels, potentially accessing sensitive information or performing actions that should be restricted to active channels.

🟠

Likely Case

Users with access to archived channels could run commands that bypass normal channel state restrictions, potentially causing confusion or minor disruption.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users performing actions in channels they already have access to.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to archived channels

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Mattermost 10.4.3, 10.3.4, or 9.11.9

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Download the patched version from Mattermost downloads. 3. Stop Mattermost service. 4. Install the update. 5. Restart Mattermost service. 6. Verify version update.

🔧 Temporary Workarounds

Disable slash commands globally

all

Temporarily disable all slash commands to prevent exploitation

Edit config.json: set "EnableCommands" to false

Restrict archived channel access

all

Limit user permissions for archived channels

Use Mattermost System Console to adjust channel permissions

🧯 If You Can't Patch

  • Review and restrict user permissions for archived channels
  • Monitor logs for unusual command execution in archived channels

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About Mattermost

Check Version:

mattermost version

Verify Fix Applied:

Verify version is 10.4.3, 10.3.4, 9.11.9 or later

📡 Detection & Monitoring

Log Indicators:

  • Slash command execution in archived channels
  • Unexpected command usage patterns

Network Indicators:

  • API calls to archived channel endpoints with command parameters

SIEM Query:

source="mattermost" AND ("archived" AND "command")

📊 Metadata

CVE ID: CVE-2025-25274
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-863
EPSS Score: 0.33% exploit probability (55.7th percentile)
Published: March 21, 2025
Last Updated: March 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25274, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)