CVE-2025-35965: DoS in Mattermost Playbooks via Excessive Task Actions
First published: Thu Apr 24 2025(Updated: )
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=10.4.2<=10.5.0<=9.11.10 | |
| go/github.com/mattermost/mattermost-plugin-playbooks | <1.41.0 | 1.41.0 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.11 | |
| go/github.com/mattermost/mattermost/server/v8 | >=10.5.0<10.5.1 | |
| go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.3 | |
| go/github.com/mattermost/mattermost-plugin-playbooks | >=2.0.0<2.1.1 | |
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20250218121836-2b5275d87136 | 8.0.0-20250218121836-2b5275d87136 |
Remedy
Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or higher. Alternatively, update the Mattermost Playbooks plugin to version 2.1.1 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattermost.com/security-updates
- https://nvd.nist.gov/vuln/detail/CVE-2025-35965
- https://github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8
- https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
- https://github.com/advisories/GHSA-689c-xq7x-xjwf (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-35965?
CVE-2025-35965 has a medium severity rating due to its potential to allow attackers to create task items with excessive actions.
How do I fix CVE-2025-35965?
To resolve CVE-2025-35965, upgrade Mattermost to versions 10.4.3, 10.5.1, or newer than 9.11.10.
Which versions of Mattermost are affected by CVE-2025-35965?
CVE-2025-35965 affects Mattermost versions 10.4.x up to 10.4.2, 10.5.x up to 10.5.0, and 9.11.x up to 9.11.10.
What kind of attack can be executed through CVE-2025-35965?
CVE-2025-35965 allows an attacker to create task items that can trigger an excessive number of actions, potentially leading to denial of service.
Is there a workaround for CVE-2025-35965 if I cannot upgrade?
Currently, there are no known workarounds for CVE-2025-35965, and upgrading is strongly recommended.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/description
- agent/title
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-cve
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-689c-xq7x-xjwf
- alias/CVE-2025-35965
- agent/references
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/mattermost
- canonical/mattermost
- package-manager/go