4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-6465

GHSA ID

GHSA-pj6f-rc94-gw53

EPSS Score

0.13269%

CWE

CWE-22

Published

8/21/2025

Updated

8/22/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-6465

CVE-2025-6465: Mattermost Fails to Sanitize File Names

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-6465

GHSA ID

GHSA-pj6f-rc94-gw53

EPSS Score

0.13269%

CWE

CWE-22

Published

8/21/2025

Updated

8/22/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost-server	go	>= 10.8.0, <= 10.8.3	10.8.4
github.com/mattermost/mattermost-server	go	>= 10.5.0, <= 10.5.8	10.5.9
github.com/mattermost/mattermost-server	go	>= 10.9.0, <= 10.9.3	10.9.4
github.com/mattermost/mattermost-server	go	= 10.10.0	10.10.1
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250708173752-d6b35c41f0ae5	8.0.0-20250708173752-d6b35c41f0ae5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a path traversal issue in Mattermost's file upload functionality. By analyzing the provided patch, I identified the exact location of the fix. The commit d6b35c41f0ae5 directly addresses the vulnerability. The key change is in the server/channels/api4/upload.go file, within the createUpload function. The addition of us.Filename = filepath.Base(us.Filename) sanitizes the user-provided filename by stripping any directory information, thus mitigating the path traversal attack. The corresponding test file, server/channels/api4/upload_test.go, confirms this by adding a test case that attempts to use a malicious filename (../../../image.png) and asserts that it gets cleaned to image.png. Therefore, the createUpload function is the vulnerable function, as it was the entry point for processing the malicious file upload request.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, **.*.x <= **.*.*, **.**.x <= **.**.*, **.*.x <= **.*.* **il to s*nitiz* *il* n*m*s w*i** *llows us*rs wit* *il* uplo** p*rmission to ov*rwrit* *il* *tt***m*nt t*um*n*ils vi* p*t* tr*v*rs*l in *il* str**min* *PIs.

Reasoning

T** vuln*r**ility **s*ri*** is * p*t* tr*v*rs*l issu* in M*tt*rmost's *il* uplo** *un*tion*lity. *y *n*lyzin* t** provi*** p*t**, I i**nti*i** t** *x**t lo**tion o* t** *ix. T** *ommit `*************` *ir**tly ***r*ss*s t** vuln*r**ility. T** k*y ***

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-6465: Mattermost Fails to Sanitize File Names

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI