FLAT-BXXBG – Vulnerability

Improper resource allocation In github.com/mattermost/mattermost-server

Description

Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/mattermost/mattermost-server	>=10.11.0 <10.11.9 \|\| >=11.0.0 <11.2.0	10.11.9, 11.2.0
go	github.com/mattermost/mattermost/server/v8	>=0 <8.0.0-20251201064648-4d86263f5430	8.0.0-20251201064648-4d86263f5430

Aliases

1. CVE-2025-148222. NVD-2025-148223. OSV-2025-14822

References

1. https://github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e62. https://github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee3. https://mattermost.com/security-updates

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.