Miggo Logo

CVE-2025-24526: Mattermost fails to restrict channel export of archived channels

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.16425%
Published
2/24/2025
Updated
2/24/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost/server/v8go< 8.0.0-20250110161910-96195f1bd7468.0.0-20250110161910-96195f1bd746
github.com/mattermost/mattermost/server/v8go>= 9.11.0-rc1, < 9.11.89.11.8
github.com/mattermost/mattermost/server/v8go>= 10.2.0-rc1, < 10.2.310.2.3
github.com/mattermost/mattermost/server/v8go>= 10.3.0-rc1, < 10.3.310.3.3
github.com/mattermost/mattermost/server/v8go>= 10.4.0-rc1, < 10.4.210.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks in the channel export handler. The fix in commit 3c052b6 added: 1) A configuration check for ExperimentalViewArchivedChannels 2) A channel archive status check using DeleteAt. The original vulnerable code lacked these checks, allowing exports of archived channels when view permissions were disabled. The tests added in api_test.go validate that the export is blocked when ExperimentalViewArchivedChannels=false and channel is archived, confirming the vulnerable flow was in the Export handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, **.*.x <= **.*.*, *.**.x <= *.**.*, **.*.x <= **.*.*, **.*.x <= **.*.* **il to r*stri*t ***nn*l *xport o* *r**iv** ***nn*ls w**n t** "*llow us*rs to vi*w *r**iv** ***nn*ls" is *is**l** w*i** *llows * us*r to *xpo

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in t** ***nn*l *xport **n*l*r. T** *ix in *ommit ******* *****: *) * *on*i*ur*tion ****k *or *xp*rim*nt*lVi*w*r**iv*****nn*ls *) * ***nn*l *r**iv* st*tus ****k usin* **l*t**t. T** ori*in*l vul