CVE-2025-0503: Leaked User IDs and Metadata of Deleted DMs
First published: Fri Feb 14 2025(Updated: )
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=9.11.6 |
Remedy
Update Mattermost to versions 10.4.0, 9.11.7 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-0503?
CVE-2025-0503 has a high severity rating due to its potential to expose sensitive user information.
How do I fix CVE-2025-0503?
To fix CVE-2025-0503, upgrade Mattermost to version 9.11.7 or later where the issue is resolved.
What impact does CVE-2025-0503 have on Mattermost users?
CVE-2025-0503 allows attackers to infer user IDs and metadata from deleted direct messages, compromising user privacy.
Which versions of Mattermost are affected by CVE-2025-0503?
Mattermost versions 9.11.x up to and including 9.11.6 are affected by CVE-2025-0503.
Can CVE-2025-0503 be exploited remotely?
Yes, CVE-2025-0503 can potentially be exploited remotely if an attacker has access to the deleted channels endpoint.
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/source
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mattermost
- canonical/mattermost