Path Traversal Leading to RCE by Any Authenticated Mattermost User
Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 0.0.0-20250519205859-65aec10162f6 | 0.0.0-20250519205859-65aec10162f6 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250519205859-65aec10162f6 | 8.0.0-20250519205859-65aec10162f6 |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.6 | 10.5.6 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.16 | 9.11.16 |
github.com/mattermost/mattermost/server/v8Go | >= 10.8.0, < 10.8.1 | 10.8.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0, < 10.7.3 | 10.7.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0, < 10.6.6 | 10.6.6 |
Affected products
1- Range: 10.5.0
Patches
165aec10162f6MM-64336: simplify doc extractor (#31103)
1 file changed · +14 −6
server/platform/services/docextractor/archive.go+14 −6 modified@@ -27,17 +27,25 @@ func (ae *archiveExtractor) Match(filename string) bool { return err == nil } +// getExtAlsoTarGz returns the extension of the given file name, special casing .tar.gz. +func getExtAlsoTarGz(name string) string { + if strings.HasSuffix(name, ".tar.gz") { + return ".tar.gz" + } + + return filepath.Ext(name) +} + func (ae *archiveExtractor) Extract(name string, r io.ReadSeeker) (string, error) { - dir, err := os.MkdirTemp(os.TempDir(), "archiver") + ext := getExtAlsoTarGz(name) + + // Create a temporary file, using `*` control the random component while preserving the extension. + f, err := os.CreateTemp("", "archiver-*"+ext) if err != nil { return "", fmt.Errorf("error creating temporary file: %v", err) } - defer os.RemoveAll(dir) + defer os.Remove(f.Name()) - f, err := os.Create(filepath.Join(dir, name)) - if err != nil { - return "", fmt.Errorf("error copying data into temporary file: %v", err) - } _, err = io.Copy(f, r) f.Close() if err != nil {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.