CVE-2017-18871
Description
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An @ character before a JavaScript field name in Mattermost Server prior to 4.5.0, 4.4.5, 4.3.4, and 4.2.2 can cause a crash, leading to denial of service.
Vulnerability
Overview CVE-2017-18871 is a denial of service vulnerability affecting Mattermost Server versions before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. The root cause is the improper handling of an @ character placed before a JavaScript field name, which leads to an application crash when processed.
Exploitation
An attacker can exploit this vulnerability by crafting a request that includes an @ character immediately before a JavaScript field name. The issue can be triggered without any special authentication or elevated privileges, as it typically involves sending a crafted message or API request that is parsed by the server. No user interaction is required beyond delivering the payload to the server.
Impact
Successful exploitation results in a denial of service by crashing the Mattermost Server, making the platform unavailable to all users. This can disrupt team communication and workflows until the server is restarted or patched. The vulnerability is rated with a CVSS v3 base score of 7.5 (High) under the NVD assessment, indicating high availability impact [1].
Mitigation
Mattermost released fixes in versions 4.5.0, 4.4.5, 4.3.4, and 4.2.2 [1]. Administrators should update to one of these patched versions or later. As of the publication date (2020-06-19), the vulnerability had not been listed in CISA's Known Exploited Vulnerabilities catalog, but immediate patching is recommended. The Mattermost security updates page [3] provides guidance for subscribing to future security bulletins.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 4.2.2 | 4.2.2 |
github.com/mattermost/mattermost-serverGo | >= 4.3.0-rc1, < 4.3.4 | 4.3.4 |
github.com/mattermost/mattermost-serverGo | >= 4.4.0-rc1, < 4.4.5 | 4.4.5 |
github.com/mattermost/mattermost-serverGo | >= 4.5.0-rc1, < 4.5.0 | 4.5.0 |
Affected products
4- Mattermost/Mattermost Serverdescription
- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 4.2.2+ 2 more
- (no CPE)range: < 4.2.2
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jc6w-8r7f-vmp5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18871ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.