Base Score

MEDIUM6.5

CVE-2025-30179

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

VectorNETWORK

Published Byresponsibledisclosure@mattermost.com

Published DateMar 21, 2025, 09:15

Affected Versions(4)

github.com/mattermost/mattermost/server/v8(Go)

Introduced10.4.0

Fixed10.4.3

LimitN/A

github.com/mattermost/mattermost/server/v8(Go)

Introduced10.3.0

Fixed10.3.4

LimitN/A

github.com/mattermost/mattermost/server/v8(Go)

Introduced9.11.0

Fixed9.11.9

LimitN/A

github.com/mattermost/mattermost/server/v8(Go)

Introduced10.5.0

Fixed10.5.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/mattermost/mattermost/server/v8(Go)	10.4.0	10.4.3	N/A
github.com/mattermost/mattermost/server/v8(Go)	10.3.0	10.3.4	N/A
github.com/mattermost/mattermost/server/v8(Go)	9.11.0	9.11.9	N/A
github.com/mattermost/mattermost/server/v8(Go)	10.5.0	10.5.1	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE

References

https://mattermost.com/security-updates

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE