CVE-2025-14435
MEDIUM6.8EPSS 0.02%Mattermost is vulnerable to DoS due to infinite re-renders on API errors
Published: 1/16/2026Modified: 2/27/2026
Description
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
Affected packages (2)
- Go/github.com/mattermost/mattermost-server>= 10.11.0, < 10.11.9
- Go/github.com/mattermost/mattermost-server>= 10.11.0+incompatible, < 10.11.9+incompatible, >= 11.0.1+incompatible, < 11.0.7+incompatible, >= 11.1.0+incompatible, < 11.1.2+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-mx8m-v8qm-xwr8
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14435
- PATCHhttps://github.com/mattermost/mattermost
- WEBhttps://github.com/mattermost/mattermost/commit/613bb616cd62c584a606919e6978688e7b87d81e
- WEBhttps://github.com/mattermost/mattermost/commit/9f7629504bc93f79af8d606329c025a687e143cd
- WEBhttps://github.com/mattermost/mattermost/commit/cc6b77b271324796b72f1e6b82dba85a86462f9f
- WEBhttps://mattermost.com/security-updates
- WEBhttps://pkg.go.dev/vuln/GO-2026-4326