CVE-2025-21088

Summary

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.2.0affected
MattermostMattermost9.11.0 <= 9.11.5affected
MattermostMattermost10.0.0 <= 10.0.3affected
MattermostMattermost10.1.0 <= 10.1.3affected
MattermostMattermost10.3.0unaffected
MattermostMattermost10.2.1unaffected
MattermostMattermost9.11.6unaffected
MattermostMattermost10.0.4unaffected
MattermostMattermost10.1.4unaffected

Weaknesses

  • CWE-704: CWE-704: Incorrect Type Conversion or Cast

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References