Moderate severityNVD Advisory· Published Sep 26, 2024· Updated Sep 26, 2024

DoS via non-string message using permalink embed

CVE-2024-47003

Description

Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	< 8.0.0-20240806094731-69a8b3df0f9f	8.0.0-20240806094731-69a8b3df0f9f

Affected products

Mattermost/Mattermostv5
Range: 9.11.0

Patches

69a8b3df0f9f

Cleanup post embed for WebSocket payload (#27763)

https://github.com/mattermost/mattermostHarshil SharmaAug 6, 2024via ghsa

commit

2 files changed · +9 −2

server/channels/app/post_metadata.go+5 −2 modified

@@ -202,6 +202,11 @@ func (a *App) getEmbedsAndImages(c request.CTX, post *model.Post, isNewPost bool
 }
 
 func removePermalinkMetadataFromPost(post *model.Post) {
+	removeEmbeddedPostsFromMetadata(post)
+	post.DelProp(model.PostPropsPreviewedPost)
+}
+
+func removeEmbeddedPostsFromMetadata(post *model.Post) {
 	if post.Metadata == nil || len(post.Metadata.Embeds) == 0 {
 		return
 	}
@@ -217,8 +222,6 @@ func removePermalinkMetadataFromPost(post *model.Post) {
 	}
 
 	post.Metadata.Embeds = newEmbeds
-
-	post.DelProp(model.PostPropsPreviewedPost)
 }
 
 func (a *App) sanitizePostMetadataForUserAndChannel(c request.CTX, post *model.Post, previewedPost *model.PreviewPost, previewedChannel *model.Channel, userID string) *model.Post {

server/public/model/post.go+4 −0 modified

@@ -508,6 +508,10 @@ func (o *Post) SanitizeProps() {
 func (o *Post) SanitizeInput() {
 	o.DeleteAt = 0
 	o.RemoteId = NewPointer("")
+
+	if o.Metadata != nil {
+		o.Metadata.Embeds = nil
+	}
 }
 
 func (o *Post) ContainsIntegrationsReservedProps() []string {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-59hf-mpf8-pqjhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-47003ghsaADVISORY
github.com/c0rydoras/cves/tree/main/CVE-2024-47003ghsaWEB
github.com/mattermost/mattermost/commit/69a8b3df0f9fd3a7a5b792ec678b6191618d039bghsaWEB
github.com/mattermost/mattermost/pull/27763ghsaWEB
mattermost.com/security-updatesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000