CVE-2025-14822
LOW3.1EPSS 0.02%Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
Published: 1/16/2026Modified: 2/27/2026
Description
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
Affected packages (2)
- Go/github.com/mattermost/mattermost-server>= 10.11.0, < 10.11.9
- Go/github.com/mattermost/mattermost-server>= 10.11.0+incompatible, < 10.11.9+incompatible, >= 11.0.1+incompatible, < 11.2.0+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-9r42-rhw3-2222
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14822
- PATCHhttps://github.com/mattermost/mattermost
- WEBhttps://github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e6
- WEBhttps://github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee
- WEBhttps://mattermost.com/security-updates
- WEBhttps://pkg.go.dev/vuln/GO-2026-4325