Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-60633

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-24 Nov, 2025 | 00:00
Updated At-24 Nov, 2025 | 19:14
Rejected At-
Credits

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:24 Nov, 2025 | 00:00
Updated At:24 Nov, 2025 | 19:14
Rejected At:
â–¼CVE Numbering Authority (CNA)

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/free5gc/free5gc
N/A
https://github.com/free5gc/free5gc/issues/702
N/A
https://github.com/free5gc/free5gc/issues/700
N/A
https://github.com/free5gc/free5gc/issues/701
N/A
https://github.com/free5gc/free5gc/issues/703
N/A
Hyperlink: https://github.com/free5gc/free5gc
Resource: N/A
Hyperlink: https://github.com/free5gc/free5gc/issues/702
Resource: N/A
Hyperlink: https://github.com/free5gc/free5gc/issues/700
Resource: N/A
Hyperlink: https://github.com/free5gc/free5gc/issues/701
Resource: N/A
Hyperlink: https://github.com/free5gc/free5gc/issues/703
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-1287CWE-1287 Improper Validation of Specified Type of Input
Type: CWE
CWE ID: CWE-1287
Description: CWE-1287 Improper Validation of Specified Type of Input
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:24 Nov, 2025 | 16:15
Updated At:01 Dec, 2025 | 16:16

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches
free5gc
free5gc
>>free5gc>>4.0.0
cpe:2.3:a:free5gc:free5gc:4.0.0:*:*:*:*:*:*:*
free5gc
free5gc
>>free5gc>>4.0.1
cpe:2.3:a:free5gc:free5gc:4.0.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1287Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-1287
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/free5gc/free5gccve@mitre.org
Product
https://github.com/free5gc/free5gc/issues/700cve@mitre.org
Issue Tracking
https://github.com/free5gc/free5gc/issues/701cve@mitre.org
Issue Tracking
https://github.com/free5gc/free5gc/issues/702cve@mitre.org
Issue Tracking
https://github.com/free5gc/free5gc/issues/703cve@mitre.org
Issue Tracking
Hyperlink: https://github.com/free5gc/free5gc
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://github.com/free5gc/free5gc/issues/700
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/free5gc/free5gc/issues/701
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/free5gc/free5gc/issues/702
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/free5gc/free5gc/issues/703
Source: cve@mitre.org
Resource:
Issue Tracking

Change History

0
Information is not available yet

Similar CVEs

17Records found
CVE-2026-32937
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.02% / 4.43%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 02:43
Updated-27 Mar, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
free5GC CHF has Out-of-Bounds Slice Access that Leads to DoS

free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled.

Action-Not Available
Vendor-free5gcfree5gc
Product-free5gcchf
CWE ID-CWE-129
Improper Validation of Array Index
CVE-2025-25020
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.16%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 15:19
Updated-24 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM QRadar Suite Software and IBM Cloud Pak for Security improper input validation

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an authenticated user to cause a denial of service due to improperly validating API data input.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_for_securityqradar_suiteQRadar Suite SoftwareCloud Pak for Security
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20033
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.82%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:55
Updated-02 Oct, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS via custom post type for sysconsole plugin readers

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20036
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 57.75%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 16:10
Updated-25 Sep, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Input Validation on Post Props

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_mobileMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20088
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 63.70%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 16:49
Updated-01 Oct, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Input Validation on Post Props

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20630
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.48%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 18:18
Updated-24 Sep, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobile crash via object that can't be cast to String in Attachment Field

Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_mobileMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-1558
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 30.71%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 15:01
Updated-25 Sep, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service Via Malicious GIF

Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_mobileMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-12689
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 22.74%
||
7 Day CHG-0.05%
Published-17 Dec, 2025 | 18:14
Updated-29 Dec, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS in Calls plugin via malformed UTF-8 in WebSocket request

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2024-54083
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 67.11%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 08:02
Updated-30 Sep, 2025 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS via lack of type validation in Calls

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-41395
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.27%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 06:48
Updated-01 Oct, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Webapp DoS via malicious retrospective post in Playbooks

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-58729
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.68%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:01
Updated-22 Feb, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Local Session Manager (LSM) Denial of Service Vulnerability

Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_25h2windows_server_2022_23h2windows_10_1507windows_11_23h2windows_11_22h2windows_10_22h2windows_server_2019windows_11_24h2windows_10_1607windows_10_1809windows_server_2008windows_server_2022windows_server_2025windows_server_2012windows_10_21h2windows_server_2016Windows Server 2025Windows Server 2008 R2 Service Pack 1Windows 11 Version 23H2Windows Server 2012 (Server Core installation)Windows 10 Version 1809Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H3Windows Server 2016 (Server Core installation)Windows 10 Version 22H2Windows Server 2019Windows Server 2022Windows 10 Version 1607Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2016Windows 11 version 22H2Windows Server 2012 R2Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2008 Service Pack 2Windows 11 Version 25H2Windows Server 2012Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-59259
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.68%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-22 Feb, 2026 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Local Session Manager (LSM) Denial of Service Vulnerability

Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_server_2012windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows 11 Version 23H2Windows Server 2012 (Server Core installation)Windows 10 Version 1809Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H3Windows Server 2016 (Server Core installation)Windows 10 Version 22H2Windows Server 2019Windows Server 2022Windows 10 Version 1607Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2016Windows 11 version 22H2Windows Server 2012 R2Windows 10 Version 1507Windows 10 Version 21H2Windows 11 Version 25H2Windows Server 2012Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-59257
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.68%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-22 Feb, 2026 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Local Session Manager (LSM) Denial of Service Vulnerability

Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2025windows_11_25h2windows_11_24h2windows_server_2022_23h2Windows Server 2025Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 Version 25H2
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2024-31948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.06%
||
7 Day CHG~0.00%
Published-07 Apr, 2024 | 00:00
Updated-04 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

Action-Not Available
Vendor-frroutingn/afrrouting
Product-frroutingn/afrrouting
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-21083
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.46% / 64.33%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 16:10
Updated-25 Sep, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Input Validation on Post Props

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_mobileMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20086
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 63.70%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 16:49
Updated-30 Sep, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Input Validation on Post Props

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-20621
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 60.17%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 18:16
Updated-01 Oct, 2025 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Webapp crash via object that can't be cast to String in Attachment Field

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
Details not found