CVE-2025-14822: Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
(updated )
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
References
- github.com/advisories/GHSA-9r42-rhw3-2222
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e6
- github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-14822
Code Behaviors & Features
Detect and mitigate CVE-2025-14822 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →