CVE-2025-35965

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server:10.5.0:-::::::

History

No history.

Information

Published : 2025-04-24 07:15

Updated : 2025-09-29 21:10

NVD link : CVE-2025-35965

Mitre link : CVE-2025-35965

CVE.ORG link : CVE-2025-35965

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-35965", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-24T07:15:31.280", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition."}, {"lang": "es", "value": "Las versiones de Mattermost 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 no logran validar la singularidad y la cantidad de acciones de tareas dentro de la operaci\u00f3n GraphQL UpdateRunTaskActions, lo que permite a un atacante crear elementos de tarea que contienen una cantidad excesiva de acciones activadas por publicaciones espec\u00edficas, sobrecargando el servidor y provocando una condici\u00f3n de denegaci\u00f3n de servicio (DoS)."}], "lastModified": "2025-09-29T21:10:29.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E0C9974-736C-4E66-B609-EA3F40E9304B", "versionEndExcluding": "9.11.11", "versionStartIncluding": "9.11.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2ACE54D-3EC6-4AC9-B243-35E8FFBE0EA0", "versionEndExcluding": "10.4.3", "versionStartIncluding": "10.4.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCB473B7-939A-437C-9488-980523F2B043"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}