In early 2025, a seemingly small—but potentially dangerous—vulnerability was discovered in Mattermost, a popular open-source collaboration platform (think Slack, for the privacy-minded). Identified as CVE-2025-22445, this problem impacts Mattermost versions 10.. up to and including 10.2..
It doesn’t involve complicated network attacks or buffer overflows, but rather, a usability and information accuracy issue in the Mattermost admin UI. If you’re running a team server for sensitive conversations—especially Calls—read carefully.
What’s The Bug?
In certain versions, when admins went to check (and configure) important Calls settings, the UI displayed certain values as “configured” when in reality, those settings were missing from the underlying configuration.
That means admins had a false sense of security. You could look at the Calls settings page and think some security-sensitive options (like call recording restrictions, or access controls) were enabled, but in fact, the settings weren’t present or enforced in the actual config file.
Admins Trust the UI: If the UI says “on”, you believe it.
- Security Settings: Controls around *who can join Calls*, *recording policies*, or *encryption* could silently remain unset.
- Potential Exploitation: Attackers, insiders, or even just mistakes could lead to unsecured Calls, because the system lets you believe you’re guarded when you’re not.
Where Does the Bug Live?
The core issue is inside the admin console’s rendering code. Specifically, in webapp/components/admin_console, security-sensitive config fields related to “Calls” were rendered based on their expected default values, rather than the actual presence of those settings in the config.json.
Suppose your config.json is missing a block like
"CallSettings": {
"EnableRecording": true,
"RestrictToChannels": ["security"]
}
But the admin UI—because of bad logic—shows “Enable Recording: ON” and “Restrict To Channels: security”. Dangerous, because the backend never enforces it!
Code Snippet Illustrating the Flaw
// webapp/components/admin_console/calls_settings.jsx
const recordingEnabled =
config.CallSettings && config.CallSettings.EnableRecording !== undefined
? config.CallSettings.EnableRecording
: DEFAULT_VALUES.EnableRecording; // <- fallback is the problem
// Bug: UI shows 'true' if DEFAULT_VALUES.EnableRecording is true,
// even if config file doesn't actually have that field.
Moral: *The UI shows default states, not actual ones.*
Realistically, this isn’t a direct remote exploit. But
- Attackers with limited access (employee, temporary admin, or helpdesk) could take advantage by “resetting” admin settings via file edits or through automation, causing the UI to misreport Calls security settings.
- Admins could make changes thinking security controls are live—and later learn the hard way that Calls aren’t locked down as expected.
Fix & Mitigation
Patched in Mattermost 10.3.:
The Mattermost team now makes the UI reflect *exactly what’s in config.json*—no more hiding missing settings.
How To Fix If You Can’t Upgrade Yet
- Double check your config.json file. Make sure your Calls settings really exist, not just in the UI.
Quick Bash Self-Check
grep -q '"CallSettings"' /opt/mattermost/config/config.json && \
echo "Calls settings found" || \
echo "WARNING: CallSettings missing!"
References & More Info
- Mattermost Security Bulletin (CVE-2025-22445)
- CVE Details Entry
- Mattermost Releases
- GitHub Patch PR *(replace XXXXX with actual PR number when available)*
Don’t Trust the UI—Verify Your Server Configs!
- Always double-check *live* configuration files, especially after upgrades, migrations, or when troubleshooting security controls.
- Don’t delay upgrading to at least Mattermost 10.3. if you rely on Calls for private conversation.
CVE-2025-22445 is a reminder: *Security is only as strong as the information you trust.* Double-check what really runs on your server!
Timeline
Published on: 01/09/2025 07:15:28 UTC