Dependency Vulnerability Analysis

This document provides context on why certain third-party dependencies in Mattermost, although flagged as vulnerable by security scanners, do not pose a risk in Mattermost deployments.

This analysis is regularly updated as new vulnerability reports are received and evaluated.

Overview

Mattermost regularly scans its dependencies for known vulnerabilities. Some dependencies may be flagged as vulnerable by security scanners, but these vulnerabilities might not be applicable to Mattermost due to:

  • How the dependency is used in Mattermost

  • The specific version or configuration implemented

  • Mitigations already in place

  • False positives in the scanning process

Dependency Analysis Table

Below is a list of dependencies flagged as vulnerable by security scanners, along with the justification for why each issue is not relevant to Mattermost deployments:

Dependency / Version

Vulnerability

False Positive Justification

github.com/mholt/archiver/v3 v3.5.1

GHSA-rhh4-rh7c-7r5v CVE-2024-0406

Mattermost doesn’t use the vulnerable Unarchive() function.

github.com/mholt/archiver/v3 v3.5.1

GHSA-7vpp-9cxj-q8g CVE-2025-3445

Mattermost doesn’t use the vulnerable Unarchive() function.

github.com/redis/go-redis/v9 v9.7.0

GHSA-92cp-5422-2mw7 CVE-2025-29923

Mattermost doesn’t use this transitive dependency.

github.com/blevesearch/bleve/v2 v2.4.4-0.20250115090822-cbafdca08538

GHSA-9w9f-6mg8-jp7w CVE-2022-31022

Mattermost doesn’t use the vulnerable bleve/http package.

golang stdlib v1.23.7

CVE-2025-22871

Mattermost doesn’t use the vulnerable functions chunkedReader.Read and readChunkLine.