Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.

Affected Packages

npm mattermost-desktop

Affected versions: 0 (fixed in 5.9.0)

Related CVEs

CVE-2024-39613

Key Information

GHSA ID

GHSA-wj4j-qc2m-fgh7

Published

September 16, 2024 2:37 PM

Last Modified

September 16, 2024 8:14 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

mattermost-desktop

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 2, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.