Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.
Fixes

Solution

Update Mattermost to versions 10.3.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.


Workaround

No workaround given by the vendor.

History

Thu, 02 Oct 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Sat, 11 Jan 2025 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 09 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jan 2025 07:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.
Title DoS via custom post type for sysconsole plugin readers
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-01-09T15:05:20.599Z

Reserved: 2025-01-08T11:07:12.589Z

Link: CVE-2025-20033

cve-icon Vulnrichment

Updated: 2025-01-09T15:05:14.797Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-09T07:15:28.450

Modified: 2025-10-02T17:26:14.850

Link: CVE-2025-20033

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-09T06:55:02Z

Links: CVE-2025-20033 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:07:21Z