Mattermost Playbooks fails to validate the uniqueness and quantity of task actions

GHSA-689c-xq7x-xjwf · CVE-2025-35965 · GO-2025-3643

Published Apr 24, 2025 · Modified Apr 1, 2026

Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-35965
WEB https://github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8
WEB https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
PACKAGE https://github.com/mattermost/mattermost-plugin-playbooks
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes