LDAP Group ID Injection Vulnerability in Mattermost by Mattermost, Inc.
CVE-2025-4573

4.1MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-4573?

An LDAP group ID injection vulnerability exists in certain versions of Mattermost due to improper validation of LDAP group ID attributes. This flaw allows an authenticated administrator with specific permissions to exploit the vulnerability via the API endpoint by executing LDAP search filter injection when the objectGUID is set as the Group ID Attribute. Malicious actors in this scenario could potentially manipulate LDAP queries, leading to unauthorized access and the manipulation of user management and group linkages within the Mattermost application.

Affected Version(s)

Mattermost 10.7.0 <= 10.7.1

Mattermost 10.6.0 <= 10.6.3

Mattermost 10.5.0 <= 10.5.4

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
May 12, 2025

Credit

Juho Forsén