CVE-2025-27933
Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
5.4
MEDIUM
CVSS 3.1
EPSS 0.30%
Description
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
How to fix CVE-2025-27933
To remediate CVE-2025-27933, upgrade the affected package to a fixed version below.
- —upgrade to 10.0.0 or later
- —upgrade to 9.11.9+incompatible or later
- —upgrade to 9.11.9 or later
- —no fix listed
- —no fix listed
- —upgrade to 8.0.0-20250218135018-e644e3c8e393 or later
- —upgrade to 10.4.3 or later
Is CVE-2025-27933 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
- >= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible
- from 0, < 9.11.9
- from 0
- from 0
- from 0, < 8.0.0-20250218135018-e644e3c8e393
- >= 10.4.0, < 10.4.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |