CVE-2025-35965 — Allocation of Resources Without Limits or Throttling in Mattermost Mattermost-plugin-playbooks

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-1284 — Improper Validation of Specified Quantity in Input6 documents5 sources

Severity

7.5HIGHNVD

CNA6.5

EPSS

0.3%

top 43.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-plugin-playbooks Github.com Mattermost Mattermost Server V8 Mattermost Server +2 more

Timeline

PublishedApr 24

Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.11+2

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250218121836-2b5275d87136+3

▶Gogithub.com/mattermost_mattermost-server+2

▶Gogithub.com/mattermost_mattermost-plugin-playbooks< 1.41.0+1

▶CVEListV5mattermost/mattermost10.4.0 — 10.4.2+2

🔴Vulnerability Details

OSV

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks↗2025-04-24

▶

OSV

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions↗2025-04-24

▶

CVEList

DoS in Mattermost Playbooks via Excessive Task Actions↗2025-04-24

▶

GHSA

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions↗2025-04-24

▶

📋Vendor Advisories

Microsoft

Bluetooth: L2CAP: Fix not validating setsockopt user input↗2024-05-14

▶