x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-4r67-4x4p-fprg

[GoVulnBot]

Advisory GHSA-4r67-4x4p-fprg references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server

Description:
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

References:

• ADVISORY: GHSA-4r67-4x4p-fprg
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-4573
• FIX: mattermost/mattermost@1f9c688
• FIX: mattermost/mattermost@64a65c6
• FIX: mattermost/mattermost@7789223
• FIX: mattermost/mattermost@b339267
• FIX: mattermost/mattermost@b47e89c
• WEB: https://mattermost.com/security-updates

Cross references:

• github.com/mattermost/mattermost-server appears in 109 other report(s):
  • data/excluded/GO-2022-0601.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-gwpf-95jc-63rv #601) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5jph-wrq7-v9hf #1126) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1127.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-v42f-hq78-8c5m #1127) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1710.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-3wq5-3f56-v5xc #1710) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0540.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-7ggc-5r84-xf54 #540)
  • data/reports/GO-2022-0576.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-32rp-q37p-jg6w #576)
  • data/reports/GO-2022-0595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-f37q-q7p2-ccfc #595)
  • data/reports/GO-2022-0599.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-fxwj-v664-wv5g #599)
  • data/reports/GO-2022-0604.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-hv5f-73mr-7vvj #604)
  • data/reports/GO-2022-0616.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-qggc-pj29-j27m #616)
  • data/reports/GO-2023-1939.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-j2h2-cvwh-cr64 #1939)
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)
  • data/reports/GO-2024-2793.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5fh7-7mw7-mmx5 #2793)
  • data/reports/GO-2024-2794.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5qx9-9ffj-5r8f #2794)
  • data/reports/GO-2024-2795.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-8f99-g2pj-x8w3 #2795)
  • data/reports/GO-2024-2796.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-p2wq-4ggp-45f3 #2796)
  • data/reports/GO-2024-2797.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-vx97-8q8q-qgq5 #2797)
  • data/reports/GO-2024-2798.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-wj37-mpq9-xrcm #2798)
  • data/reports/GO-2024-3020.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762m-4cx6-6mf4 #3020)
  • data/reports/GO-2024-3022.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9fpw-c9x7-cv3j #3022)
  • data/reports/GO-2024-3023.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vg67-chm7-8m3j #3023)
  • data/reports/GO-2024-3024.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vg6q-84p8-qvqh #3024)
  • data/reports/GO-2024-3025.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-56mc-f9w7-2wxq #3025)
  • data/reports/GO-2024-3028.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-cmc8-222c-vqp9 #3028)
  • data/reports/GO-2024-3030.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-jq3g-xqpx-37x3 #3030)
  • data/reports/GO-2024-3031.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-jr9x-3x7m-4j75 #3031)
  • data/reports/GO-2024-3032.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vvpg-55p7-5h8w #3032)
  • data/reports/GO-2024-3089.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-2jhx-w3vc-w59g #3089)
  • data/reports/GO-2024-3090.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3j95-8g47-fpwh #3090)
  • data/reports/GO-2024-3091.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fxq9-6946-34q7 #3091)
  • data/reports/GO-2024-3092.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q22q-2rrf-m27p #3092)
  • data/reports/GO-2024-3093.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4ww8-fprq-cq34 #3093)
  • data/reports/GO-2024-3094.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5263-pm2h-m7hw #3094)
  • data/reports/GO-2024-3096.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-c6vp-jjgv-38wj #3096)
  • data/reports/GO-2024-3097.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hrf9-rm95-fpf3 #3097)
  • data/reports/GO-2024-3164.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-59hf-mpf8-pqjh #3164)
  • data/reports/GO-2024-3227.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hm57-h27x-599c #3227)
  • data/reports/GO-2024-3232.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mvp-gh77-7vwh #3232)
  • data/reports/GO-2024-3233.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762g-9p7f-mrww #3233)
  • data/reports/GO-2024-3234.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762v-rq7q-ff97 #3234)
  • data/reports/GO-2024-3235.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-g376-m3h3-mj4r #3235)
  • data/reports/GO-2024-3334.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qqc8-rv37-79q5 #3334)
  • data/reports/GO-2024-3337.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-69pr-78gv-7c6h #3337)
  • data/reports/GO-2024-3338.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-826h-p4c3-477p #3338)
  • data/reports/GO-2024-3340.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-v647-h8jj-fw5r #3340)
  • data/reports/GO-2025-3377.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q8fg-cp3q-5jwm #3377)
  • data/reports/GO-2025-3379.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-2549-xh72-qrpm #3379)
  • data/reports/GO-2025-3380.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7rgp-4j56-fm79 #3380)
  • data/reports/GO-2025-3392.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5m7j-6gc4-ff5g #3392)
  • data/reports/GO-2025-3393.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-8j3q-gc9x-7972 #3393)
  • data/reports/GO-2025-3394.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-45v9-w9fh-33j6 #3394)
  • data/reports/GO-2025-3407.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w6xh-c82w-h997 #3407)
  • data/reports/GO-2025-3480.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5fwx-p6xh-vjrh #3480)
  • data/reports/GO-2025-3481.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q8p2-2hwc-jw64 #3481)
  • data/reports/GO-2025-3482.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-rhvr-6w8c-6v7w #3482)
  • data/reports/GO-2025-3483.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-v469-7wp6-7cvp #3483)
  • data/reports/GO-2025-3534.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-fqrq-xmxj-v47x #3534)
  • data/reports/GO-2025-3549.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3gpx-p63p-pr5r #3549)
  • data/reports/GO-2025-3550.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4v65-xqcj-wpgg #3550)
  • data/reports/GO-2025-3551.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-72qv-j8vr-xvfv #3551)
  • data/reports/GO-2025-3552.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-rp74-x43m-cpw3 #3552)
  • data/reports/GO-2025-3555.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-cw7q-5cgc-h3h9 #3555)
  • data/reports/GO-2025-3556.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h5v9-xw2g-7hrq #3556)
  • data/reports/GO-2025-3604.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xfq9-hh5x-xfq9 #3604)
  • data/reports/GO-2025-3609.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-322v-vh2g-qvpv #3609)
  • data/reports/GO-2025-3610.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6rqh-8465-2xcw #3610)
  • data/reports/GO-2025-3611.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wwhj-pw6h-f8hw #3611)
  • data/reports/GO-2025-3618.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-msteams: GHSA-2j87-p623-8cc2 #3618)
  • data/reports/GO-2025-3619.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h4rr-f37j-4hh7 #3619)
  • data/reports/GO-2025-3620.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-j5jw-m2ph-3jjf #3620)
  • data/reports/GO-2025-3621.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-j639-m367-75cf #3621)
  • data/reports/GO-2025-3622.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9h6j-4ffx-cm84 #3622)
  • data/reports/GO-2025-3623.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mj2p-v2c2-vh4v #3623)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3691.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h356-3mfw-x368 #3691)
  • data/reports/GO-2025-3692.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qgwx-rffp-6cx9 #3692)
  • data/reports/GO-2025-3693.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r7r2-m3vr-c8qc #3693)
  • data/reports/GO-2025-3694.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fpff-wj6m-grvr #3694)
  • data/reports/GO-2025-3724.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4mmr-2w8p-whcr #3724)
  • data/reports/GO-2025-3728.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-86jg-35xj-3vv5 #3728)
  • data/reports/GO-2025-3729.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-8cgx-9ccj-3gwr #3729)
  • data/reports/GO-2025-3730.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hc6v-386m-93pq #3730)
  • data/reports/GO-2025-3731.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mc2f-jgj6-6cp3 #3731)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      versions:
        - introduced: 9.11.0+incompatible
        - fixed: 9.11.14+incompatible
        - introduced: 10.5.0+incompatible
        - fixed: 10.5.5+incompatible
        - introduced: 10.6.0+incompatible
        - fixed: 10.6.4+incompatible
        - introduced: 10.7.0+incompatible
        - fixed: 10.7.2+incompatible
      non_go_versions:
        - fixed: 8.0.0-20250414112942-77892234944b
      vulnerable_at: 10.7.2-rc1+incompatible
summary: |-
    Mattermost allows authenticated administrator to execute LDAP search filter
    injection in github.com/mattermost/mattermost-server
cves:
    - CVE-2025-4573
ghsas:
    - GHSA-4r67-4x4p-fprg
references:
    - advisory: https://github.com/advisories/GHSA-4r67-4x4p-fprg
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4573
    - fix: https://github.com/mattermost/mattermost/commit/1f9c688a30847eeb7bfb1574dc7bbb9f011afbf7
    - fix: https://github.com/mattermost/mattermost/commit/64a65c6107877382040297b3ef215c689caaed74
    - fix: https://github.com/mattermost/mattermost/commit/77892234944bc7476b20794e516538bcac717de9
    - fix: https://github.com/mattermost/mattermost/commit/b33926709b956a59558cc7fef80c0e75a769ce81
    - fix: https://github.com/mattermost/mattermost/commit/b47e89c4f98cb6ad9f1dceb79325aa94e80f963a
    - web: https://mattermost.com/security-updates
source:
    id: GHSA-4r67-4x4p-fprg
    created: 2025-06-11T16:02:11.889463103Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/680955 mentions this issue: data/reports: add 3 reports