Mattermost v11.0 is now available! Learn what's new »
Dependency Vulnerability Analysis¶
This document provides context on why certain third-party dependencies in Mattermost, although flagged as vulnerable by security scanners, do not pose a risk in Mattermost deployments.
This analysis is regularly updated as new vulnerability reports are received and evaluated.
Overview¶
Mattermost regularly scans its dependencies for known vulnerabilities. Some dependencies may be flagged as vulnerable by security scanners, but these vulnerabilities might not be applicable to Mattermost due to:
How the dependency is used in Mattermost
The specific version or configuration implemented
Mitigations already in place
False positives in the scanning process
Dependency Analysis Table¶
Below is a list of dependencies flagged as vulnerable by security scanners for our latest release, along with the justification for why each issue is not relevant to Mattermost deployments:
Dependency / Version |
Vulnerability |
False Positive Justification |
|---|---|---|
github.com/mattermost/ mattermost/server/v8 |
Multiple CVE IDs |
Mattermost uses Go module workspaces, which override go.mod dependency versions with local filesystem code at build time. The vulnerable versions are never included in final Docker images. |
golang.org/x/crypto v0.44.0 |
GHSA-f6x5-jh6r-wrfv CVE-2025-47914 |
Mattermost doesn’t utilize the vulnerable golang.org/x/crypto/ssh package. Upgrade is planned for v11.4 |
golang.org/x/crypto v0.44.0 |
GGHSA-j5w8-q4qc-rx2x CVE-2025-58181 |
Mattermost doesn’t utilize the vulnerable golang.org/x/crypto/ssh package. Upgrade is planned for v11.4 |