CVE-2025-41395: Webapp DoS via malicious retrospective post in Playbooks
First published: Thu Apr 24 2025(Updated: )
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=10.4.2<=10.5.0<=9.11.10 | |
| go/github.com/mattermost/mattermost-plugin-playbooks | <1.41.0 | 1.41.0 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.11 | |
| go/github.com/mattermost/mattermost/server/v8 | >=10.5.0<10.5.1 | |
| go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.3 | |
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20250218121836-2b5275d87136 | 8.0.0-20250218121836-2b5275d87136 |
| go/github.com/mattermost/mattermost-plugin-playbooks | >=2.0.0<2.1.1 |
Remedy
Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or higher. Otherwise, update the Playbooks plugin to version 2.1.1 or higher
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattermost.com/security-updates
- https://nvd.nist.gov/vuln/detail/CVE-2025-41395
- https://github.com/mattermost/mattermost-plugin-playbooks/commit/4c823090e281cb9c0d5c17ee2e5db275117540d1
- https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
- https://github.com/advisories/GHSA-3g36-gf7c-75qw (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-41395?
CVE-2025-41395 has been classified as a high severity vulnerability due to its potential to allow attackers to exploit improperly validated props in the Mattermost Playbooks plugin.
How do I fix CVE-2025-41395?
To fix CVE-2025-41395, upgrade your Mattermost instance to versions 10.4.3, 10.5.1, or 9.11.11 or later.
Which versions are affected by CVE-2025-41395?
CVE-2025-41395 affects Mattermost versions 10.4.x up to and including 10.4.2, 10.5.x up to and including 10.5.0, and 9.11.x up to and including 9.11.10.
What type of attacks can be performed using CVE-2025-41395?
An attacker can exploit CVE-2025-41395 by creating specially crafted posts that can execute malicious actions within the Mattermost environment.
Is there a workaround for CVE-2025-41395?
No official workaround has been provided for CVE-2025-41395; users are advised to upgrade to fixed versions to mitigate risk.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/description
- agent/title
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-cve
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3g36-gf7c-75qw
- alias/CVE-2025-41395
- agent/references
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/mattermost
- canonical/mattermost
- package-manager/go