Moderate severityNVD Advisory· Published Jan 16, 2025· Updated Jan 16, 2025
Webapp crash via object that can't be cast to String in Attachment Field
CVE-2025-20621
Description
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.2.0, < 10.2.1 | 10.2.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.1.0, < 10.1.4 | 10.1.4 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0, < 10.0.4 | 10.0.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.6 | 9.11.6 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20241127161322-25ff7a3779a5 | 8.0.0-20241127161322-25ff7a3779a5 |
Affected products
1- Range: 10.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w6xh-c82w-h997ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-20621ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.