Miggo Logo
Miggo Vulnerability Database
CVE-2025-35965

CVE-2025-35965: Mattermost Playbooks fails to validate the uniqueness and quantity of task actions

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-35965
GHSA ID
GHSA-689c-xq7x-xjwf
EPSS Score
0.18682%
CWE
CWE-770
Published
4/24/2025
Updated
4/24/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost/server/v8go< 8.0.0-20250218121836-2b5275d871368.0.0-20250218121836-2b5275d87136
github.com/mattermost/mattermost-plugin-playbooksgo>= 2.0.0, < 2.1.1
github.com/mattermost/mattermost/server/v8go>= 10.4.0, < 10.4.3
github.com/mattermost/mattermost/server/v8go>= 10.5.0, < 10.5.1
github.com/mattermost/mattermost/server/v8go>= 9.11.0, < 9.11.11
github.com/mattermost/mattermost-plugin-playbooksgo< 1.41.01.41.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description states that Mattermost Playbooks fails to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation. The provided commit bf2633dad09f5768ce2bea4b7c5ffb74050052a8 from mattermost/mattermost-plugin-playbooks shows direct modifications to two functions: validateUpdateTaskActions in server/api/graphql_root_playbook.go and validateTaskActions in server/api/playbooks.go.

Both functions had code added to limit the number of task actions to 10. This indicates that, prior to the patch, these functions lacked this crucial validation. When the UpdateRunTaskActions GraphQL operation (or other playbook operations) processed task actions, these validation functions would have been called. Their failure to limit the quantity of actions meant that an attacker could submit a large number of actions, leading to server overload and a Denial of Service, as described.

The functions validateUpdateTaskActions and validateTaskActions are therefore identified as vulnerable because, in their pre-patch state, they directly contained the missing validation logic and would have processed an excessive number of task actions. The UpdateRunTaskActions GraphQL operation is the entry point mentioned in the vulnerability, and these functions are key components in its validation process (or lack thereof).

The function names are constructed using the Go package path convention, which typically includes the module path and the package directory structure (github.com/mattermost/mattermost-plugin-playbooks/server/api) followed by the function name. These are the signatures that would likely appear in runtime profiling or stack traces during exploitation. The second commit (2b5275d87136f07e016c8eca09a2f004b31afc8a) simply updates the plugin version in the main Mattermost server, confirming the patched version of the plugin, but does not reveal additional vulnerable functions in the server code itself related to this specific flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, **.*.x <= **.*.*, *.**.x <= *.**.** **il to v*li**t* t** uniqu*n*ss *n* qu*ntity o* t*sk **tions wit*in t** Up**t*RunT*sk**tions *r*p*QL op*r*tion, w*i** *llows *n *tt**k*r to *r**t* t*sk it*ms *ont*inin* *n *x**

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t M*tt*rmost Pl*y*ooks **ils to v*li**t* t** uniqu*n*ss *n* qu*ntity o* t*sk **tions wit*in t** `Up**t*RunT*sk**tions` *r*p*QL op*r*tion. T** provi*** *ommit `****************************************` *rom `m*t