Mattermost versions 11.4.x (up to 11.4.0), 11.3.x (up to 11.3.1), 11.2.x (up to 11.2.3), and 10.11.x (up to 10.11.11) fail to validate the size of decompressed archive entries during extraction. An authenticated user with permission to upload files can craft a zip archive that expands to an enormous size (zip bomb). On extraction the server consumes large amounts of memory, eventually crashing or becoming unresponsive, thereby causing a denial of service. The weakness is a failure to enforce size limits on incoming files.

The vulnerability affects Mattermost Server installations running the listed versions. Specifically, all deployments of versions 11.4.0 or earlier, 11.3.1 or earlier, 11.2.3 or earlier, and 10.11.11 or earlier are impacted, regardless of the environment or operating system.

The CVSS score of 6.5 indicates moderate severity and the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker needs only an authenticated account with file upload permissions to trigger the denial of service; no elevated privileges are required. Once activated, the server consumes excessive memory during zip extraction, potentially causing the Mattermost service to crash or become unresponsive for all users. While this does not expose data or modify system state, the availability impact can disrupt business operations relying on the messaging platform. Consequently, the risk is moderate but present, especially in environments where file uploads are enabled and the application is not promptly patched.