CVE-2025-31947: 
vulnerability analysis and mitigation

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, and 9.11.x <= 9.11.11 are affected by a security vulnerability related to LDAP user account lockouts. The vulnerability was disclosed on May 15, 2025, and has been assigned CVE-2025-31947 (NVD, Wiz).

The vulnerability is characterized by a failure to properly implement account lockout mechanisms for LDAP users after repeated login failures. This has been classified under CWE-645 (Overly Restrictive Account Lockout Mechanism). The vulnerability has received a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (Wiz).

The vulnerability allows attackers to lock external LDAP accounts through repeated login failures via Mattermost. This can result in a denial of service condition specifically targeting LDAP user accounts, potentially disrupting legitimate user access to the system (Wiz).

Organizations should upgrade to the following fixed versions: Mattermost 10.6.2, 10.5.3, 10.4.5, or 9.11.12. These versions contain the necessary security patches to address the LDAP account lockout vulnerability (CERT-FR).