6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21088

GHSA ID

GHSA-8j3q-gc9x-7972

EPSS Score

0.27181%

CWE

CWE-704

Published

1/15/2025

Updated

1/17/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-21088

CVE-2025-21088: Mattermost Incorrect Type Conversion or Cast

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21088

GHSA ID

GHSA-8j3q-gc9x-7972

EPSS Score

0.27181%

CWE

CWE-704

Published

1/15/2025

Updated

1/17/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 10.2.0, < 10.2.1	10.2.1
github.com/mattermost/mattermost/server/v8	go	>= 10.1.0, <= 10.1.3	10.1.4
github.com/mattermost/mattermost/server/v8	go	>= 10.0.0, <= 10.0.3	10.0.4
github.com/mattermost/mattermost/server/v8	go	>= 9.11.0, <= 9.11.5	9.11.6
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20241127161322-25ff7a3779a5	8.0.0-20241127161322-25ff7a3779a5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper type validation in post.props.attachments processing. Based on the CWE-704 description and Mattermost's architecture:

PostAction unmarshalling is a prime candidate as it directly handles user-controlled input
Attachment processing functions would be responsible for validating action styles
The frontend crash suggests type safety failures in data serialization
Confidence is medium due to lack of direct patch/diff evidence, but these are logical locations based on the described attack vector and component structure

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, *.**.x <= *.**.*, **.*.x <= **.*.*, **.*.x <= **.*.* **il to prop*rly v*li**t* t** styl* o* proto suppli** to *n **tion's styl* in post.props.*tt***m*nts, w*i** *llows *n *tt**k*r to *r*s* t** *ront*n* vi* *r**t*

Reasoning

T** vuln*r**ility st*ms *rom improp*r typ* v*li**tion in post.props.*tt***m*nts pro**ssin*. **s** on t** *W*-*** **s*ription *n* M*tt*rmost's *r**it**tur*: *. Post**tion unm*rs**llin* is * prim* **n*i**t* *s it *ir**tly **n*l*s us*r-*ontroll** input

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-21088: Mattermost Incorrect Type Conversion or Cast

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI