CVE-2025-11579

github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9

Configurations

No configuration.

History

02 Dec 2025, 10:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~3.1~~	v2 : unknown v3 : 5.3
CWE	~~CWE-306~~	CWE-789
Summary	(en) Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to	(en) github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
References	~~{'url': 'https://mattermost.com/security-updates', 'source': '[email protected]'}~~	() https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 -

27 Nov 2025, 12:15

Type	Values Removed	Values Added
References	~~{'url': 'https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9', 'source': '[email protected]'}~~	() https://mattermost.com/security-updates -
Summary	(en) github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.	(en) Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to
CWE	~~CWE-789~~	CWE-306
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 3.1

Information

Published : 2025-10-10 12:15

Updated : 2025-12-02 10:16

NVD link : CVE-2025-11579

Mitre link : CVE-2025-11579

CVE.ORG link : CVE-2025-11579

JSON object : View

Products Affected

No product.

CWE

CWE-789

Memory Allocation with Excessive Size Value

5.3 /10