Listen to this Post
How the CVE Works:
Mattermost Playbooks fails to enforce proper validation checks on task actions in the UpdateRunTaskActions GraphQL operation. Attackers can craft malicious requests containing duplicate or excessive task actions (beyond system limits). When these specially designed tasks are triggered by specific posts, the server processes them without rate-limiting or uniqueness verification. This causes resource exhaustion (CPU/memory spikes) as the server attempts to execute redundant actions repeatedly, leading to a denial-of-service condition. The vulnerability stems from missing server-side validation in the playbook_run/task_actions.go component.
DailyCVE Form:
Platform: Mattermost
Version: 10.4.0-10.4.2
Vulnerability: DoS via task actions
Severity: Moderate
Date: 2025-04-24
What Undercode Say:
Exploit PoC (GraphQL mutation)
mutation {
updateRunTaskActions(
runID: "malicious_run",
actions: [
{type: "trigger", payload: "A".repeat(10000)},
{type: "trigger", payload: "A".repeat(10000)},
Repeated 1000+ times
]
)
}
Detection command:
curl -s http://mattermost/api/v4/graphql -H "Authorization: Bearer TOKEN" \
--data '{"query":"query{playbookRuns{taskActions}}"}'
// Patch verification (server-side):
func validateTaskActions(actions []TaskAction) error {
if len(actions) > MAX_ACTIONS {
return errors.New("action limit exceeded")
}
seen := make(map[bash]bool)
for _, action := range actions {
key := fmt.Sprintf("%s-%s", action.Type, action.Payload)
if seen[bash] {
return errors.New("duplicate action")
}
seen[bash] = true
}
return nil
}
Mitigation (rate limiting):
limit_req_zone $binary_remote_addr zone=graphql:10m rate=5r/s;
location /api/v4/graphql {
limit_req zone=graphql burst=10 nodelay;
}
Monitoring rule (Prometheus): alert: MattermostTaskActionFlood expr: rate(mattermost_playbook_actions_total[bash]) > 100 for: 10m labels: severity: critical annotations: summary: "Task action flood detected"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
