CVE-2025-20621
Published: 16 January 2025
Description
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.
Security Summary
CVE-2025-20621 is a vulnerability in Mattermost versions 10.2.x up to and including 10.2.0, 9.11.x up to 9.11.5, 10.0.x up to 10.0.3, and 10.1.x up to 10.1.3. It arises from the webapp's failure to properly handle posts containing attachments with fields that cannot be cast to a String. An attacker can exploit this by creating and sending such a post to a channel, resulting in a crash of the webapp. The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-1287.
The attack requires network access and low privileges, such as those of an authenticated user, with low complexity and no user interaction. By posting a malformed attachment to any channel, the attacker triggers an unhandled casting error that crashes the Mattermost webapp, leading to a denial-of-service condition that disrupts availability for all users without compromising confidentiality or integrity.
Mattermost has published details on mitigations in their security updates, available at https://mattermost.com/security-updates.
Details
- CWE(s)