The vulnerability is an unbounded request body read on the MS Teams Plugin {{/changes}} webhook endpoint, allowing an authenticated attacker to send an oversized JSON payload that consumes memory and causes the system to become unresponsive. The primary impact is a denial of service as the plugin processes large inputs and exhausts server memory, potentially affecting availability for all users of the application. This flaw maps to the unbounded resource setting weakness CWE-770.

Mattermost plugins with versions 2.1.3.0 or earlier are vulnerable. The affected component is the MS Teams Plugin used within Mattermost, specifically the {{/changes}} webhook endpoint that accepts JSON payloads from authenticated users. An attacker must have legitimate authentication to the Mattermost instance to trigger the flaw; no anonymous exploitation path exists as described.

The CVSS score of 3.7 classifies the flaw as low to moderate severity, and it is not listed in the CISA KEV catalog, indicating no known active exploitation. The EPSS score is not available, so the current exploit probability cannot be quantified. Based on the description, the attack vector is likely an authenticated request to the vulnerable webhook; the attacker must already have access to the system and can induce a denial of service through crafted payloads. Without further information on attack tooling or widespread vulnerability, the risk remains primarily an internal service interruption risk rather than a high‑impact breach.