Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
Fixes

Solution

Update Mattermost to versions 10.4.0, 9.11.7 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 29 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

epss

{'score': 0.00031}


Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00051}

epss

{'score': 0.00028}


Fri, 14 Feb 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 14 Feb 2025 18:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
Title Leaked User IDs and Metadata of Deleted DMs
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-02-14T18:09:02.166Z

Reserved: 2025-01-15T18:13:55.213Z

Link: CVE-2025-0503

cve-icon Vulnrichment

Updated: 2025-02-14T18:08:57.286Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-14T18:15:23.870

Modified: 2025-09-29T18:11:58.467

Link: CVE-2025-0503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T15:26:28Z