CVE-2025-35965 in Mattermost
Summary
by MITRE • 04/24/2025
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-35965 affects Mattermost server versions within the 9.11.x and 10.4.x and 10.5.x release series, specifically impacting versions up to 9.11.10, 10.4.2, and 10.5.0 respectively. This issue resides within the GraphQL API implementation, specifically within the UpdateRunTaskActions operation that governs how task actions are managed and updated within the platform's workflow system. The flaw represents a critical security oversight that permits unauthorized manipulation of task action parameters through crafted GraphQL requests.
The technical implementation flaw stems from insufficient input validation mechanisms within the GraphQL endpoint responsible for processing task action updates. When an attacker submits a malicious request to the UpdateRunTaskActions operation, the system fails to enforce proper validation of both the uniqueness and quantity constraints for task actions. This absence of validation allows for the creation of task items that contain an excessive number of actions, potentially reaching thousands or even tens of thousands of individual action entries within a single task. The vulnerability manifests as a lack of proper bounds checking and sanitization of user-supplied data, creating an environment where arbitrary action counts can be injected without restriction.
The operational impact of this vulnerability extends beyond simple resource consumption, representing a sophisticated denial-of-service vector that can severely degrade system performance and availability. When an attacker exploits this weakness, the server becomes overwhelmed with processing excessive action items, leading to resource exhaustion of CPU, memory, and database connections. The DoS condition can render the Mattermost server temporarily or permanently unavailable to legitimate users, disrupting team communications and collaboration workflows. This vulnerability particularly affects environments where Mattermost is used for project management, task tracking, and workflow automation, as these features become inaccessible during the attack.
The security implications of CVE-2025-35965 align with CWE-770, which addresses allocation of resources without limits or throws, and relates to the broader ATT&CK technique T1499.004 for Network Denial of Service. The vulnerability demonstrates how improper input validation in API endpoints can be exploited to create resource exhaustion conditions that compromise system availability. Organizations using Mattermost for critical communications and collaboration may experience significant operational disruption, with potential impacts on business continuity and user productivity. The attack vector requires minimal privileges as it operates through the GraphQL interface, making it accessible to users with basic account access who can then escalate their impact through resource exhaustion techniques.
Mitigation strategies should prioritize immediate patching of affected Mattermost versions to the latest stable releases that contain proper input validation and resource limits for task actions. Organizations should implement rate limiting and request size restrictions at the API gateway level to prevent excessive action counts from being processed. Additionally, monitoring and alerting should be configured to detect unusual patterns in task action creation, particularly when large numbers of actions are being added to single tasks. Network segmentation and access controls can help limit exposure by restricting API access to trusted sources and implementing proper authentication mechanisms. The implementation of automated resource quotas and action count limits within the Mattermost configuration would provide additional defense-in-depth measures to prevent exploitation of this vulnerability.