CVE-2025-35965 – github.com/mattermost/mattermost-plugin-playbooks

Package

Manager: go
Name: github.com/mattermost/mattermost-plugin-playbooks
Vulnerable Version: >=2.0.0 <2.1.1 || >=0 <1.41.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00077 pctl0.23587

Details

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

Metadata

Created: 2025-04-24T09:30:33Z
Modified: 2025-04-24T16:09:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-689c-xq7x-xjwf/GHSA-689c-xq7x-xjwf.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-689c-xq7x-xjwf
Finding: F204
Auto approve: 1