6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-41395

GHSA ID

GHSA-3g36-gf7c-75qw

EPSS Score

0.20696%

CWE

CWE-1287

Published

4/24/2025

Updated

4/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-41395

CVE-2025-41395: Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-41395

CVE-2025-41395:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-41395

GHSA ID

GHSA-3g36-gf7c-75qw

EPSS Score

0.20696%

CWE

CWE-1287

Published

4/24/2025

Updated

4/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost-plugin-playbooks	go	>= 2.0.0, < 2.1.1
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250218121836-2b5275d87136	8.0.0-20250218121836-2b5275d87136
github.com/mattermost/mattermost/server/v8	go	>= 10.4.0, < 10.4.3
github.com/mattermost/mattermost/server/v8	go	>= 10.5.0, < 10.5.1
github.com/mattermost/mattermost/server/v8	go	>= 9.11.0, < 9.11.11
github.com/mattermost/mattermost-plugin-playbooks	go	< 1.41.0	1.41.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that Mattermost Playbooks fails to properly validate props used by the RetrospectivePost custom post type. The commit 4c823090e281cb9c0d5c17ee2e5db275117540d1 in mattermost/mattermost-plugin-playbooks directly addresses this.

In the file webapp/src/components/retrospective_post.tsx, the RetrospectivePost component was modified. The patch shows that the lines:

-    const metricsConfigs: Array<Metric> = JSON.parse(props.post.props.metricsConfigs);
-    const metricsData: Array<RunMetricData> = JSON.parse(props.post.props.metricsData);

were replaced with lines that use safeJSONParse and additional type validation (isArrayOf, isMetric, isMetricData):

+    const parsedMetricsConfigs = safeJSONParse<unknown>(props.post.props?.metricsConfigs);
+    const parsedMetricsData = safeJSONParse<unknown>(props.post.props?.metricsData);
+
+    const metricsConfigs: Array<Metric> = isArrayOf(parsedMetricsConfigs, isMetric) ? parsedMetricsConfigs : [];
+    const metricsData: Array<RunMetricData> = isArrayOf(parsedMetricsData, isMetricData) ? parsedMetricsData : [];

This change clearly indicates that the RetrospectivePost function was previously vulnerable due to the direct and unsafe parsing of props.post.props.metricsConfigs and props.post.props.metricsData. The lack of validation before parsing is the root cause, allowing maliciously crafted props to cause a DoS. The other modified file, webapp/src/utils.ts, introduces helper functions for the fix (safeJSONParse, isArrayOf, isMetric, isMetricData) and are not vulnerable themselves but part of the mitigation. The commit in the mattermost/mattermost repository (2b5275d87136f07e016c8eca09a2f004b31afc8a) is just an update to the plugin version in the Makefile and does not contain code changes relevant to the vulnerability itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-41395: Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type

CVE-2025-41395:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-41395: Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type

Basic Information

Basic Information

6.5

6.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI