CVE-2025-14822

Medium

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to…

Mattermost·CWE-407·Published 2026-01-16

CVSS

6.5

EPSS

0.00

KEV

Exploits

cve.orgen

239 chars

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

NVDen

239 chars

OSV.deven

419 chars

Mattermost is vulnerable to CPU exhaustion via crafted HTTP request in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

GHSAen

240 chars

NVDes

297 chars

Las versiones de Mattermost 10.11.x <= 10.11.8 no validan el tamaño de la entrada antes de procesar los hashtags, lo que permite a un atacante autenticado agotar los recursos de la CPU a través de una única solicitud HTTP que contiene una publicación con miles de tokens separados por espacios.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	NVD	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
3.1	Primary	cve.org	3.1	—	—	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
3.1	Secondary	NVD	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
3.1	Secondary	GHSA	3.1	—	—	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L