CVE-2025-14822

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

Mattermost is vulnerable to CPU exhaustion via crafted HTTP request in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.

Las versiones de Mattermost 10.11.x &lt;= 10.11.8 no validan el tamaño de la entrada antes de procesar los hashtags, lo que permite a un atacante autenticado agotar los recursos de la CPU a través de una única solicitud HTTP que contiene una publicación con miles de tokens separados por espacios.