Dependency Vulnerability Analysis¶
This document provides context on why certain third-party dependencies in Mattermost, although flagged as vulnerable by security scanners, do not pose a risk in Mattermost deployments.
This analysis is regularly updated as new vulnerability reports are received and evaluated.
Overview¶
Mattermost regularly scans its dependencies for known vulnerabilities. Some dependencies may be flagged as vulnerable by security scanners, but these vulnerabilities might not be applicable to Mattermost due to:
How the dependency is used in Mattermost
The specific version or configuration implemented
Mitigations already in place
False positives in the scanning process
Dependency Analysis Table¶
Below is a list of dependencies flagged as vulnerable by security scanners, along with the justification for why each issue is not relevant to Mattermost deployments:
Dependency / Version |
Vulnerability |
False Positive Justification |
---|---|---|
github.com/mholt/archiver/v3 v3.5.1 |
GHSA-rhh4-rh7c-7r5v CVE-2024-0406 |
Mattermost doesn’t use the vulnerable |
github.com/mholt/archiver/v3 v3.5.1 |
GHSA-7vpp-9cxj-q8g CVE-2025-3445 |
Mattermost doesn’t use the vulnerable |
github.com/redis/go-redis/v9 v9.7.0 |
GHSA-92cp-5422-2mw7 CVE-2025-29923 |
Mattermost doesn’t use this transitive dependency. |
github.com/blevesearch/bleve/v2 v2.4.4-0.20250115090822-cbafdca08538 |
GHSA-9w9f-6mg8-jp7w CVE-2022-31022 |
Mattermost doesn’t use the vulnerable |
golang stdlib v1.23.7 |
CVE-2025-22871 |
Mattermost doesn’t use the vulnerable functions |