CVE-2025-0503

Summary

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.11.0 <= 9.11.6affected
MattermostMattermost10.4.0unaffected
MattermostMattermost9.11.7unaffected

Weaknesses

  • CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References