CVE-2025-35965
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 10.4.0 <= 10.4.2 | affected |
| Mattermost | Mattermost | 10.5.0 | affected |
| Mattermost | Mattermost | 9.11.0 <= 9.11.10 | affected |
| Mattermost | Mattermost | 10.6.0 | unaffected |
| Mattermost | Mattermost | 10.4.3 | unaffected |
| Mattermost | Mattermost | 10.5.1 | unaffected |
| Mattermost | Mattermost | 9.11.11 | unaffected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.