CVE-2025-14822 in Mattermost
Summary
by MITRE • 01/16/2026
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2025-14822 affects Mattermost server versions 10.11.x through 10.11.8, representing a critical resource exhaustion flaw that can be exploited by authenticated attackers. This issue stems from insufficient input validation within the hashtag processing functionality of the platform, creating a pathway for malicious actors to consume excessive computational resources through carefully crafted HTTP requests.
The technical flaw manifests when the Mattermost server processes posts containing hashtags with thousands of space-separated tokens. The system fails to validate the size or number of input tokens before beginning processing, allowing an attacker to submit a single HTTP request containing a post with an excessive number of hashtag tokens. This design oversight creates a denial-of-service condition where the server's CPU resources become consumed in processing the malformed input, potentially leading to service disruption for legitimate users.
From an operational impact perspective, this vulnerability enables authenticated attackers to perform resource exhaustion attacks with minimal effort, requiring only a single HTTP request to cause significant system strain. The attack vector is particularly concerning because it operates within the legitimate authentication boundaries of the system, making it difficult to detect and prevent through traditional network monitoring approaches. The computational overhead generated by processing thousands of space-separated tokens can cause server performance degradation, increased latency, and potentially complete service unavailability.
The vulnerability aligns with CWE-400, which describes unchecked resource consumption, and can be categorized under ATT&CK technique T1499.004 for resource exhaustion. Organizations using Mattermost 10.11.x versions should prioritize immediate mitigation through patching to version 10.11.9 or later, which contains the necessary input validation controls. Additional mitigations include implementing rate limiting on post creation requests, configuring input size limits for hashtag processing, and monitoring for unusual patterns in hashtag usage that may indicate exploitation attempts.
Security teams should also consider implementing network-based detection rules that monitor for HTTP requests containing unusually large numbers of space-separated tokens in hashtag fields, as this behavior would be indicative of exploitation attempts. The vulnerability demonstrates the importance of input validation in preventing resource exhaustion attacks, particularly in systems that process user-generated content where malicious actors can leverage legitimate functionality to cause system-wide disruption. Organizations should conduct thorough testing of patched versions to ensure that legitimate hashtag functionality remains intact while preventing the resource exhaustion conditions that this vulnerability enables.