Mattermost is vulnerable to CPU exhaustion via crafted HTTP request

GHSA-9r42-rhw3-2222 · CVE-2025-14822 · GO-2026-4325

Published Jan 16, 2026 · Modified Feb 27, 2026

Description

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-14822
WEB https://github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e6
WEB https://github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2026-4325

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes