Moderate severityNVD Advisory· Published May 15, 2025· Updated May 15, 2025

Repeated LDAP login failures can lock an LDAP account

CVE-2025-31947

Description

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	>= 10.6.0, < 10.6.2	10.6.2
github.com/mattermost/mattermost/server/v8Go	>= 10.5.0, < 10.5.3	10.5.3
github.com/mattermost/mattermost/server/v8Go	>= 10.4.0, < 10.4.5	10.4.5
github.com/mattermost/mattermost/server/v8Go	>= 9.11.0, < 9.11.12	9.11.12
github.com/mattermost/mattermost/server/v8Go	< 8.0.0-20250415054241-76ab3867b785	8.0.0-20250415054241-76ab3867b785

Affected products

Mattermost/Mattermostv5
Range: 10.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qgwx-rffp-6cx9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-31947ghsaADVISORY
github.com/mattermost/mattermost/pull/30821ghsaWEB
mattermost.com/security-updatesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000