Listen to this Post
Mattermost Playbooks fails to properly validate the props used by the `RetrospectivePost` custom post type in versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0, and 9.11.x ≤ 9.11.10. This vulnerability arises due to insufficient sanitization of user-supplied input in the Playbooks plugin. An attacker can craft a malicious post with specially designed props, leading to improper handling by the web application. When processed, these props cause the Mattermost server to crash, resulting in a denial-of-service (DoS) condition for all users. The issue stems from the lack of validation checks on the `RetrospectivePost` metadata, allowing arbitrary payloads to disrupt service availability.
DailyCVE Form
Platform: Mattermost
Version: 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0, 9.11.x ≤ 9.11.10
Vulnerability: Improper Input Validation
Severity: Moderate
Date: Apr 24, 2025
What Undercode Say:
Exploitation:
1. Craft a malicious `RetrospectivePost` with unvalidated props:
{
"type": "custom_retrospective",
"props": {
"malicious_payload": "<arbitrary_crash_trigger>"
}
}
2. Send via Mattermost API:
curl -X POST -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d @malicious_post.json https://<mattermost-server>/api/v4/posts
Mitigation:
1. Update to patched versions (10.4.3, 10.5.1, 9.11.11).
2. Implement input validation for `RetrospectivePost` props:
func validateProps(props map[bash]interface{}) error {
if _, ok := props["malicious_payload"]; ok {
return errors.New("invalid props")
}
return nil
}
3. Enable rate-limiting to prevent DoS attacks.
Detection:
Check logs for abnormal post creation patterns:
grep -E "custom_retrospective.malicious_payload" /var/log/mattermost.log
Workaround:
Disable Playbooks plugin if unused:
mmctl plugin disable playbooks
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
