Vulnerability DatabaseCVE-2025-2424
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-2424
April 14, 2025
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
Affected Packages
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v9.11.0 <v9.11.10
Fix Suggestion:
Update to version v9.11.10
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v10.5.0 <v10.5.2
Fix Suggestion:
Update to version v10.5.2
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20250213231113-68c11e9ecb71
Fix Suggestion:
Update to version v8.0.0-20250213231113-68c11e9ecb71
Related Resources (6)
https://nvd.nist.gov/vuln/detail/CVE-2025-2424
https://github.com/mattermost/mattermost
https://github.com/mattermost/mattermost/commit/68c11e9ecb7129f7d3e0e67277f0a5924a8cbe06
https://github.com/advisories/GHSA-wwhj-pw6h-f8hw
https://pkg.go.dev/vuln/GO-2025-3611
https://mattermost.com/security-updates
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.14