Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
Fixes

Solution

Update Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.


Workaround

No workaround given by the vendor.

References
History

Tue, 30 Sep 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.2.0:-:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Wed, 15 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 15 Jan 2025 16:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
Title WebApp crash via improper validation of proto style in attachments
Weaknesses CWE-704
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-01-15T16:20:11.778Z

Reserved: 2025-01-15T15:30:33.435Z

Link: CVE-2025-21088

cve-icon Vulnrichment

Updated: 2025-01-15T16:19:05.431Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-15T16:15:32.413

Modified: 2025-09-30T15:52:59.580

Link: CVE-2025-21088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:07:18Z