CVE-2025-24490: 
Mattermost vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2025-24490) was discovered in Mattermost, affecting versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, and 10.2.x <= 10.2.2. The vulnerability stems from a failure to use prepared statements in the SQL query of boards reordering functionality (MITRE CVE, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability specifically occurs in the board category ID reordering requests functionality, where the application fails to properly sanitize input (Security Online).

The vulnerability allows attackers to retrieve sensitive data from the Mattermost database through SQL injection attacks. Successful exploitation could lead to significant data breaches and unauthorized access to system information (Security Online).

Mattermost has released patches to address this vulnerability. Users are strongly advised to upgrade to versions 10.5.0, 10.4.2, 9.11.8, 10.3.3, or 10.2.3. Alternatively, updating the Mattermost Boards plugin to v9.0.5 or higher will also remediate the vulnerability (Security Online).