CVE-2025-41395 — Improper Validation of Specified Type of Input in Mattermost Mattermost-plugin-playbooks

CWE-1287 — Improper Validation of Specified Type of Input5 documents4 sources

Severity

7.5HIGHNVD

CNA6.5

EPSS

0.1%

top 67.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-plugin-playbooks Github.com Mattermost Mattermost Server V8 Mattermost Server +2 more

Timeline

PublishedApr 24

Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Gogithub.com/mattermost_mattermost-plugin-playbooks< 1.41.0+1

▶NVDmattermost/mattermost_server9.11.0 — 9.11.11+2

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250218121836-2b5275d87136+3

▶CVEListV5mattermost/mattermost10.4.0 — 10.4.2+2

▶Gogithub.com/mattermost_mattermost-server+2

🔴Vulnerability Details

OSV

Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks↗2025-04-24

▶

GHSA

Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type↗2025-04-24

▶

OSV

Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type↗2025-04-24

▶

CVEList

Webapp DoS via malicious retrospective post in Playbooks↗2025-04-24

▶