CVE-2025-20072

Medium

Published: 16 January 2025

Published

16 January 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0023 45.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.

Security Summary

CVE-2025-20072 affects Mattermost Mobile versions up to and including 2.22.0. The vulnerability stems from a failure to properly validate the style property of proto supplied to an action's style in post.props.attachments. This issue, published on 2025-01-16 and associated with CWE-704 (Incorrect Type Conversion or Cast), carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.

An attacker requires low privileges, such as those of an authenticated user on a Mattermost server, to exploit the vulnerability over the network. Exploitation involves low complexity and no user interaction, allowing the attacker to deliver crafted malicious input that crashes the victim's Mattermost Mobile application, resulting in a denial-of-service condition without affecting confidentiality or integrity.

Mattermost has published security updates addressing this issue at https://mattermost.com/security-updates, where practitioners can find details on patches and mitigation steps.

Details

CWE(s): CWE-704

Affected Products

mattermost

mattermost mobile

≤ 2.23.0

References

https://mattermost.com/security-updates
Vendor Advisory · responsibledisclosure@mattermost.com