Moderate severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
Application-Level DoS via infinite re-render loop in user profile handling
CVE-2025-14435
Description
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.9 | 10.11.9 |
github.com/mattermost/mattermost-serverGo | >= 11.1.0, < 11.1.2 | 11.1.2 |
github.com/mattermost/mattermost-serverGo | >= 11.0.0, < 11.0.7 | 11.0.7 |
Affected products
1- Range: @mattermost/client@10.11.0, @mattermost/client@11.0.4, @mattermost/client@11.1.0, …
Patches
3613bb616cd62Avoid triggering unnecessary rerenders on the shared channels tooltip for users (#34336) (#34702)
1 file changed · +2 −2
webapp/channels/src/components/user_profile/user_profile.tsx+2 −2 modified@@ -36,10 +36,10 @@ export default function UserProfile({ }: Props) { // Fetch remote info when component mounts for remote users useEffect(() => { - if (user?.remote_id && (!remoteNames || remoteNames.length === 0)) { + if (user?.remote_id) { actions.fetchRemoteClusterInfo(user.remote_id); } - }, [user?.remote_id, remoteNames, actions]); + }, [user?.remote_id]); let name: ReactNode; if (user && displayUsername) { name = `@${(getUsername(user))}`;
9f7629504bc9Avoid triggering unnecessary rerenders on the shared channels tooltip for users (#34336) (#34698)
3 files changed · +6 −6
webapp/channels/src/components/channel_members_rhs/member.tsx+2 −2 modified@@ -38,10 +38,10 @@ const Member = ({channel, member, index, totalUsers, editing, actions}: Props) = // Fetch remote info when component mounts for remote users useEffect(() => { - if (member.user.remote_id && !member.remoteDisplayName) { + if (member.user.remote_id) { actions.fetchRemoteClusterInfo(member.user.remote_id); } - }, [member.user.remote_id, member.remoteDisplayName, actions.fetchRemoteClusterInfo]); + }, [member.user.remote_id]); const userProfileSrc = Client4.getProfilePictureUrl(member.user.id, member.user.last_picture_update);
webapp/channels/src/components/more_direct_channels/list_item/user_details/user_details.tsx+2 −2 modified@@ -39,10 +39,10 @@ export default function UserDetails(props: Props): JSX.Element { // Fetch remote info when component mounts for remote users useEffect(() => { - if (option.remote_id && (!remoteDisplayName)) { + if (option.remote_id) { actions.fetchRemoteClusterInfo(option.remote_id); } - }, [option.remote_id, remoteDisplayName, actions.fetchRemoteClusterInfo]); + }, [option.remote_id]); const { id,
webapp/channels/src/components/user_profile/user_profile.tsx+2 −2 modified@@ -36,10 +36,10 @@ export default function UserProfile({ }: Props) { // Fetch remote info when component mounts for remote users useEffect(() => { - if (user?.remote_id && (!remoteNames || remoteNames.length === 0)) { + if (user?.remote_id) { actions.fetchRemoteClusterInfo(user.remote_id); } - }, [user?.remote_id, remoteNames, actions]); + }, [user?.remote_id]); let name: ReactNode; if (user && displayUsername) { name = `@${(getUsername(user))}`;
cc6b77b27132Avoid triggering unnecessary rerenders on the shared channels tooltip for users (#34336) (#34699)
3 files changed · +6 −6
webapp/channels/src/components/channel_members_rhs/member.tsx+2 −2 modified@@ -38,10 +38,10 @@ const Member = ({channel, member, index, totalUsers, editing, actions}: Props) = // Fetch remote info when component mounts for remote users useEffect(() => { - if (member.user.remote_id && !member.remoteDisplayName) { + if (member.user.remote_id) { actions.fetchRemoteClusterInfo(member.user.remote_id); } - }, [member.user.remote_id, member.remoteDisplayName, actions.fetchRemoteClusterInfo]); + }, [member.user.remote_id]); const userProfileSrc = Client4.getProfilePictureUrl(member.user.id, member.user.last_picture_update);
webapp/channels/src/components/more_direct_channels/list_item/user_details/user_details.tsx+2 −2 modified@@ -39,10 +39,10 @@ export default function UserDetails(props: Props): JSX.Element { // Fetch remote info when component mounts for remote users useEffect(() => { - if (option.remote_id && (!remoteDisplayName)) { + if (option.remote_id) { actions.fetchRemoteClusterInfo(option.remote_id); } - }, [option.remote_id, remoteDisplayName, actions.fetchRemoteClusterInfo]); + }, [option.remote_id]); const { id,
webapp/channels/src/components/user_profile/user_profile.tsx+2 −2 modified@@ -36,10 +36,10 @@ export default function UserProfile({ }: Props) { // Fetch remote info when component mounts for remote users useEffect(() => { - if (user?.remote_id && (!remoteNames || remoteNames.length === 0)) { + if (user?.remote_id) { actions.fetchRemoteClusterInfo(user.remote_id); } - }, [user?.remote_id, remoteNames, actions]); + }, [user?.remote_id]); let name: ReactNode; if (user && displayUsername) { name = `@${(getUsername(user))}`;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-mx8m-v8qm-xwr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14435ghsaADVISORY
- github.com/mattermost/mattermost/commit/613bb616cd62c584a606919e6978688e7b87d81eghsaWEB
- github.com/mattermost/mattermost/commit/9f7629504bc93f79af8d606329c025a687e143cdghsaWEB
- github.com/mattermost/mattermost/commit/cc6b77b271324796b72f1e6b82dba85a86462f9fghsaWEB
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2026-4326ghsaWEB
News mentions
0No linked articles in our index yet.