Moderate severityNVD Advisory· Published Jun 11, 2025· Updated Jun 11, 2025
LDAP Injection in Mattermost Enterprise Edition When Using Active Directory
CVE-2025-4573
Description
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250414112942-77892234944b | 8.0.0-20250414112942-77892234944b |
github.com/mattermost/mattermost-serverGo | >= 10.7.0, < 10.7.2 | 10.7.2 |
github.com/mattermost/mattermost-serverGo | >= 10.6.0, < 10.6.4 | 10.6.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.5 | 10.5.5 |
github.com/mattermost/mattermost-serverGo | >= 9.11.0, < 9.11.14 | 9.11.14 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 10.7.0, < 10.7.2+ 2 more
- (no CPE)range: >= 10.7.0, < 10.7.2
- (no CPE)range: < 8.0.0-20250414112942-77892234944b
- (no CPE)range: < 0.0.20250612T141001-1.1
- Range: 10.7.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-4r67-4x4p-fprgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4573ghsaADVISORY
- github.com/mattermost/mattermost/commit/1f9c688a30847eeb7bfb1574dc7bbb9f011afbf7ghsaWEB
- github.com/mattermost/mattermost/commit/64a65c6107877382040297b3ef215c689caaed74ghsaWEB
- github.com/mattermost/mattermost/commit/77892234944bc7476b20794e516538bcac717de9ghsaWEB
- github.com/mattermost/mattermost/commit/b33926709b956a59558cc7fef80c0e75a769ce81ghsaWEB
- github.com/mattermost/mattermost/commit/b47e89c4f98cb6ad9f1dceb79325aa94e80f963aghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.