CVE-2025-20630

Mattermost Mobile versions <=2.22.0 are affected by CVE-2025-20630, a vulnerability where the app fails to properly handle posts with attachments containing fields that cannot be cast to a String. This flaw allows an attacker to crash the mobile application by creating and sending such a malformed post to a channel. The issue is rated 6.5 on CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1287.

Attackers require low privileges as an authenticated user (PR:L) and can exploit it remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a denial-of-service condition, crashing the Mattermost Mobile app for all recipients viewing the channel, with high availability impact (A:H) but no compromise of confidentiality or integrity.

The Mattermost security updates page at https://mattermost.com/security-updates details the vulnerability and mitigation, recommending an upgrade to Mattermost Mobile version 2.23.0 or later, which resolves the improper handling of non-String fields in attachments.