Moderate severityNVD Advisory· Published Jan 9, 2025· Updated Jan 9, 2025
DoS via custom post type for sysconsole plugin readers
CVE-2025-20033
Description
Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.16 | 9.11.16 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0, < 10.0.4 | 10.0.4 |
github.com/mattermost/mattermost/server/v8Go | >= 10.1.0, < 10.1.4 | 10.1.4 |
github.com/mattermost/mattermost/server/v8Go | >= 10.2.0, < 10.2.1 | 10.2.1 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250102081831-64c566a8280b | 8.0.0-20250102081831-64c566a8280b |
Affected products
1- Range: 10.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2549-xh72-qrpmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-20033ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.