Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names

GHSA-jc6w-8r7f-vmp5 · CVE-2017-18871 · GO-2025-4184

Published May 24, 2022 · Modified Dec 9, 2025

Description

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-18871
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes