Hacktoberfest is here! Contribute, collaborate & earn rewards.
Dependency Vulnerability Analysis#
This document provides context on why certain third-party dependencies in Mattermost, although flagged as vulnerable by security scanners, do not pose a risk in Mattermost deployments.
This analysis is regularly updated as new vulnerability reports are received and evaluated.
Overview#
Mattermost regularly scans its dependencies for known vulnerabilities. Some dependencies may be flagged as vulnerable by security scanners, but these vulnerabilities might not be applicable to Mattermost due to:
How the dependency is used in Mattermost
The specific version or configuration implemented
Mitigations already in place
False positives in the scanning process
Dependency Analysis Table#
Below is a list of dependencies flagged as vulnerable by security scanners, along with the justification for why each issue is not relevant to Mattermost deployments:
Dependency / Version |
Vulnerability |
False Positive Justification |
|---|---|---|
github.com/mholt/archiver/v3 v3.5.1 |
GHSA-rhh4-rh7c-7r5v CVE-2024-0406 |
Mattermost doesn’t use the vulnerable |
github.com/mholt/archiver/v3 v3.5.1 |
GHSA-7vpp-9cxj-q8g CVE-2025-3445 |
Mattermost doesn’t use the vulnerable |
github.com/redis/go-redis/v9 v9.7.0 |
GHSA-92cp-5422-2mw7 CVE-2025-29923 |
Mattermost doesn’t use the vulnerable |
github.com/blevesearch/bleve/v2 v2.4.4-0.20250115090822-cbafdca08538 |
GHSA-9w9f-6mg8-jp7w CVE-2022-31022 |
Mattermost doesn’t use this transitive dependency. |
golang stdlib v1.23.7 |
CVE-2025-22871 |
Mattermost doesn’t use the vulnerable functions |