CVE-2025-20621

Summary

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.2.0 <= 10.2.0affected
MattermostMattermost9.11.0 <= 9.11.5affected
MattermostMattermost10.0.0 <= 10.0.3affected
MattermostMattermost10.1.0 <= 10.1.3affected
MattermostMattermost10.3.0unaffected
MattermostMattermost2.23.0unaffected
MattermostMattermost10.2.1unaffected
MattermostMattermost9.11.6unaffected
MattermostMattermost10.0.4unaffected
MattermostMattermost10.1.4unaffected

Weaknesses

  • CWE-1287: CWE-1287: Improper Validation of Specified Type of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References