CVE-2024-54682 in Mattermostinfo

Summary

by MITRE • 12/16/2024

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability identified as CVE-2024-54682 affects Mattermost server installations across multiple version branches including 10.1.x up to 10.1.2, 10.0.x up to 10.0.2, 9.11.x up to 9.11.4, and 9.5.x up to 9.5.12. This issue represents a critical security flaw that undermines the system's ability to properly validate and restrict file upload sizes during slack import operations, creating a significant attack surface for denial of service attacks. The vulnerability specifically impacts users with team administrator privileges who can leverage this weakness to upload maliciously crafted files that exploit the lack of size limitations.

The technical flaw manifests in the slack import functionality where Mattermost fails to implement proper file size validation mechanisms for uploaded archives. This allows attackers to upload zip bomb files that appear small but expand to enormous sizes when decompressed, effectively consuming excessive system resources. The absence of size restrictions means that a single import operation can trigger resource exhaustion across multiple system components including disk space, memory allocation, and processing power. The vulnerability is particularly dangerous because it only requires team administrator privileges, which are often granted to trusted users within organizations, making the attack vector more accessible than typical privilege escalation scenarios.

The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system instability and resource exhaustion across the entire Mattermost deployment. When a zip bomb is successfully imported, the system experiences massive resource consumption that can lead to complete service unavailability, application crashes, and potential data corruption. The attack can be executed without requiring elevated privileges beyond team administrator access, making it particularly concerning for organizations that maintain multiple teams with different levels of access control. Additionally, the DoS condition can persist until manual intervention occurs, potentially requiring system restarts or extensive cleanup operations.

This vulnerability aligns with CWE-400, which addresses "Uncontrolled Resource Consumption" and specifically relates to the lack of proper input validation for file size constraints. The attack pattern follows ATT&CK technique T1499.004, which covers "File System Wipe" through resource exhaustion, though in this case the impact is more accurately described as DoS rather than complete system wipe. Organizations should consider implementing immediate mitigations including network-level restrictions on file upload sizes, implementing automated monitoring for unusual resource consumption patterns, and conducting thorough access control reviews to limit team administrator privileges where possible. The recommended fix involves implementing strict file size validation for all slack import operations and establishing comprehensive resource limits that prevent any single import operation from consuming excessive system resources, thereby maintaining system availability and preventing unauthorized resource exhaustion attacks.

Responsible

Mattermost

Reservation

12/11/2024

Disclosure

12/16/2024

Moderation

accepted

CPE

ready

EPSS

0.00416

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!