CVE-2025-35965

Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.17%• Percentile: 38%

Techniques & Countermeasures

• CWE-770•Allocation of Resources Without Limits or Throttling

  The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

• github.com/mattermost•mattermost-plugin-playbooks

  all | ≥ 2.0.0 | < 1.41.0

• github.com/mattermost•mattermost-server

  ≥ 9.11.0+incompatible | ≥ 10.4.0+incompatible | ≥ 10.5.0+incompatible

• github.com/mattermost/mattermost-server•v5

  all

• github.com/mattermost/mattermost-server•v6

  all

• github.com/mattermost/mattermost/server•v8

  all | < 8.0.0-20250218121836-2b5275d87136 | ≥ 10.4.0 | ≥ 10.5.0 | ≥ 9.11.0

• mattermost•mattermost

  ≥ 10.4.0, ≤ 10.4.2 | 10.5.0 | ≥ 9.11.0, ≤ 9.11.10

• mattermost•mattermost_server

  ≥ 9.11.0, < 9.11.11 | ≥ 10.4.0, < 10.4.3 | 10.5.0

References (6)

• https://mattermost.com/security-updates
• https://github.com/advisories/GHSA-689c-xq7x-xjwf
• https://nvd.nist.gov/vuln/detail/CVE-2025-35965
• https://github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8
• https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
• https://github.com/mattermost/mattermost-plugin-playbooks