Moderate severityNVD Advisory· Published Apr 24, 2025· Updated Apr 24, 2025
DoS in Mattermost Playbooks via Excessive Task Actions
CVE-2025-35965
Description
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250218121836-2b5275d87136 | 8.0.0-20250218121836-2b5275d87136 |
github.com/mattermost/mattermost-plugin-playbooksGo | >= 2.0.0 | — |
github.com/mattermost/mattermost/server/v8Go | >= 10.4.0 | — |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0 | — |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0 | — |
github.com/mattermost/mattermost-plugin-playbooksGo | < 1.41.0 | 1.41.0 |
Affected products
1- Range: 10.4.0
Patches
22b5275d87136chore: Update Playbooks plugin to v2.1.1 (#29996)
1 file changed · +1 −1
server/Makefile+1 −1 modified@@ -141,7 +141,7 @@ PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.9.1 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.2.0 # We need to prepackage both versions of playbooks and install the correct one based on the server license. See MM-60025. PLUGIN_PACKAGES += mattermost-plugin-playbooks-v1.40.0 -PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.0.1 +PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.1.1 PLUGIN_PACKAGES += mattermost-plugin-nps-v1.3.3 PLUGIN_PACKAGES += mattermost-plugin-servicenow-v2.3.4 PLUGIN_PACKAGES += mattermost-plugin-zoom-v1.8.0
bf2633dad09fLimit task actions to 10 (#1964)
2 files changed · +9 −0
server/api/graphql_root_playbook.go+4 −0 modified@@ -531,6 +531,10 @@ func validateUpdateTaskActions(checklists []UpdateChecklist) error { for _, checklist := range checklists { for _, item := range checklist.Items { if taskActions := item.TaskActions; taskActions != nil { + // Limit task actions to 10 + if len(*taskActions) > 10 { + return errors.Errorf("playbook cannot have more than 10 task actions") + } for _, ta := range *taskActions { if err := app.ValidateTrigger(ta.Trigger); err != nil { return err
server/api/playbooks.go+5 −0 modified@@ -264,6 +264,11 @@ func validatePreAssignment(pb app.Playbook) error { // validateTaskActions validates the taskactions in the given checklist // NOTE: Any changes to this function must be made to function 'validateUpdateTaskActions' for the GraphQL endpoint. func validateTaskActions(taskActions []app.TaskAction) error { + // Limit task actions to 10 + if len(taskActions) > 10 { + return errors.Errorf("playbook cannot have more than 10 task actions") + } + for _, ta := range taskActions { if err := app.ValidateTrigger(ta.Trigger); err != nil { return err
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-689c-xq7x-xjwfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-35965ghsaADVISORY
- github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8ghsaWEB
- github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8aghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.