CVE-2025-35965 MEDIUM

CVE-2025-35965: DoS in Mattermost Playbooks via Excessive Task Actions

Vendor Mattermost
Product Mattermost
Weakness CWE-770 · Uncontrolled resource consumption
Published April 24, 2025
Last update April 24, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

Key dates

02Disclosure timeline

April 24, 2025 CVE published
April 24, 2025 Record updated