CVE-2025-6465
BaseFortify
Publication date: 2025-08-21
Last updated on: 2025-10-02
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.9 (exc) |
| mattermost | mattermost_server | From 10.8.0 (inc) to 10.8.4 (exc) |
| mattermost | mattermost_server | From 10.9.0 (inc) to 10.9.4 (exc) |
| mattermost | mattermost_server | 10.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where the software fails to properly sanitize file names. This allows users who have permission to upload files to exploit a path traversal issue in the file streaming APIs, enabling them to overwrite file attachment thumbnails.
How can this vulnerability impact me? :
An attacker with file upload permissions could overwrite existing file attachment thumbnails, potentially leading to unauthorized modification of files or misleading content display. This could affect the integrity of file attachments within the Mattermost application.