CVE-2025-8023: 
vulnerability analysis and mitigation

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, and 10.9.x <= 10.9.2 contain a path traversal vulnerability identified as CVE-2025-8023. The vulnerability was discovered and disclosed on August 21, 2025, affecting the Mattermost server software's template file handling functionality (NVD).

The vulnerability stems from improper sanitization of path traversal sequences in template file destination paths. This security flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability has received a CVSS v3.1 base score of 4.9 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, while Mattermost assessed it with a score of 6.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N (NVD).

The vulnerability allows system administrators to perform path traversal attacks through malicious path components, which could result in unauthorized file placement outside of intended directories. This could potentially compromise the system's integrity by allowing files to be placed in unauthorized locations (NVD).

Users should upgrade to the following fixed versions: Mattermost version 10.8.4 or later for 10.8.x series, 10.5.9 or later for 10.5.x series, 9.11.18 or later for 9.11.x series, and 10.9.3 or later for 10.9.x series (NVD).