CVE-2025-4573

🗓️ 11 Jun 2025 10:22:24Reported by MattermostType

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 57 Views🌐 WEB

LDAP injection in Mattermost allows exploitation by authenticated administrators via API access.

Reporter	Title	Published	Views	Family All 16
BDU FSTEC	The vulnerability of the Mattermost instant messaging application, related to the failure to take measures to neutralize special elements in the LDAP request, allows a perpetrator to disclose protected information.	2 Jul 202500:00	–	bdu_fstec
Circl	CVE-2025-4573	11 Jun 202513:30	–	circl
CNNVD	Mattermost 注入漏洞	11 Jun 202500:00	–	cnnvd
Cvelist	CVE-2025-4573 LDAP Injection in Mattermost Enterprise Edition When Using Active Directory	11 Jun 202510:22	–	cvelist
EUVD	EUVD-2025-18095	3 Oct 202520:07	–	euvd
Github Security Blog	Mattermost allows authenticated administrator to execute LDAP search filter injection	11 Jun 202512:30	–	github
NVD	CVE-2025-4573	11 Jun 202511:15	–	nvd
OPENSUSE Linux	govulncheck-vulndb-0.0.20250612T141001-1.1 on GA media (moderate)	5 Jul 202500:00	–	opensuse
OSV	GHSA-4R67-4X4P-FPRG Mattermost allows authenticated administrator to execute LDAP search filter injection	11 Jun 202512:30	–	osv
OSV	GO-2025-3756 Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server	11 Jun 202517:45	–	osv

NVD

Node

mattermost mattermost_serverRange9.11.0–9.11.14

mattermost mattermost_serverRange10.5.0–10.5.5

mattermost mattermost_serverRange10.6.0–10.6.4

mattermost mattermost_serverRange10.7.0–10.7.2

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "10.7.1",
        "status": "affected",
        "version": "10.7.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.6.3",
        "status": "affected",
        "version": "10.6.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.5.4",
        "status": "affected",
        "version": "10.5.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.11.13",
        "status": "affected",
        "version": "9.11.0",
        "versionType": "semver"
      },
      {
        "version": "10.8.0",
        "status": "unaffected"
      },
      {
        "version": "10.7.2",
        "status": "unaffected"
      },
      {
        "version": "10.6.4",
        "status": "unaffected"
      },
      {
        "version": "10.5.5",
        "status": "unaffected"
      },
      {
        "version": "9.11.14",
        "status": "unaffected"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

Parameter	Position	Path	Description	CWE
remote_id	request body	/api/v4/ldap/groups/{remote_id}/link	LDAP group ID attribute validation flaw allows LDAP filter injection via PUT /api/v4/ldap/groups/{remote_id}/link when objectGUID is configured as the Group ID Attribute	CWE-90

17 Jun 2026 09:33Current

4.7Medium risk

Vulners AI Score4.7

CVSS 3.14.1

EPSS0.00236

SSVC

CWE-90