Regex DoS from a malicious server enrolled in Desktop

Vulnerability

Mattermost is vulnerable to a denial-of-service attack due to improper validation of a regular expression (RegExp) built from the server URL path. An attacker controlling an enrolled server can craft a malicious URL path that causes the RegExp to be inefficient or malformed, leading to resource exhaustion. The vulnerability affects Mattermost versions prior to the patch released in late 2023 [1].

Exploitation

The attacker must have control over an enrolled server—essentially a server that is registered with the Mattermost instance. From that position, the attacker can send a specially crafted request containing a malicious path element. The vulnerable code builds a RegExp from this path without proper sanitization, resulting in catastrophic backtracking or other regex-based denial-of-service behavior. No user interaction is required beyond the server being enrolled [1].

Impact

Successful exploitation allows the attacker to cause a denial of service (DoS) on the Mattermost server, making the application unavailable to legitimate users. The impact is limited to availability; there is no evidence of data disclosure, modification, or remote code execution [1].

Mitigation

The Mattermost security update released in early November 2023 (version 8.1.1 or later) includes a fix that properly validates the RegExp built from the server URL path. Administrators should upgrade to the patched version immediately. No workaround is available for unpatched instances [1].