CVE-2025-35965

Summary

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.4.0 <= 10.4.2affected
MattermostMattermost10.5.0affected
MattermostMattermost9.11.0 <= 9.11.10affected
MattermostMattermost10.6.0unaffected
MattermostMattermost10.4.3unaffected
MattermostMattermost10.5.1unaffected
MattermostMattermost9.11.11unaffected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References