6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46556

GHSA ID

GHSA-r3jf-hm7q-qfw5

EPSS Score

CWE

CWE-770

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46556

CVE-2025-46556: MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length

A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:

Impact

The entire activity stream becomes unviewable (UI fails to render).
New notes cannot be displayed, effectively breaking all future collaboration on the issue.

Patches

Fixed in 2.27.2.

Workarounds

None

Credits

Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46556

GHSA ID

GHSA-r3jf-hm7q-qfw5

EPSS Score

CWE

CWE-770

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mantisbt/mantisbt	composer	< 2.27.2	2.27.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial-of-Service (DoS) caused by a lack of server-side validation for the length of various text fields within MantisBT. An attacker could submit extremely long strings to fields such as bug descriptions, bug notes, custom fields, and user profiles. The application would accept this input without any length restrictions, leading to the corruption of issue activity logs and making them unviewable. The user interface would fail to render, and new notes could not be displayed, effectively breaking collaboration on the affected issues.

The patches address this vulnerability by introducing a new global configuration setting, $g_max_textarea_length, which defines a maximum allowed length for these text fields. A new helper function, helper_ensure_longtext_length_valid, was created to perform the server-side validation. This function is now called from all the identified vulnerable functions (BugData::validate, IssueAddCommand::validate, bugnote_add, bugnote_set_text, custom_field_update, custom_field_validate, and profile_validate_before_update) before processing the user-provided text. This ensures that any input exceeding the configured limit is rejected, thus preventing the DoS attack.

Vulnerable functions

BugData::validate

core/bug_api.php

This function validates bug data before creation or update. The patch adds a length check for the 'description', 'steps_to_reproduce', and 'additional_information' fields. Before the patch, this validation was missing, allowing an attacker to submit excessively long text, leading to a Denial of Service.

IssueAddCommand::validate

core/commands/IssueAddCommand.php

This function validates the data for adding a new issue via a command. The patch adds length validation for 'description', 'steps_to_reproduce', and 'additional_information'. The absence of this check allowed for the submission of overly long text, causing the vulnerability.

bugnote_add

core/bugnote_api.php

This function is responsible for adding a new note to a bug. The vulnerability existed because it did not perform any server-side validation on the length of the note text. The patch introduces a call to 'helper_ensure_longtext_length_valid' to mitigate this.

bugnote_set_text

core/bugnote_api.php

This function updates the text of an existing bug note. Similar to 'bugnote_add', it lacked length validation for the note text, making it vulnerable. The patch adds the necessary length check.

custom_field_update

core/custom_field_api.php

This function handles updates to custom field definitions. It was vulnerable because it did not validate the length of the 'default_value' for textarea custom fields. The patch adds checks to ensure the default value and max length do not exceed the configured limits.

custom_field_validate

core/custom_field_api.php

This function validates the value of a custom field when it's being used. The patch adds a specific check for textarea custom fields to ensure their length does not exceed the newly defined global maximum, which was previously not enforced.

profile_validate_before_update

core/profile_api.php

This function validates user profile data. It was vulnerable as it did not check the length of the user's profile description. The patch adds a call to 'helper_ensure_longtext_length_valid' to enforce the length limit. This function is called by 'profile_create' and 'profile_update'.

WAF Protection Rules

WAF Rule

* l**k o* s*rv*r-si** v*li**tion *or not* l*n*t* in M*ntis*T *llows *tt**k*rs to p*rm*n*ntly *orrupt issu* **tivity lo*s *y su*mittin* *xtr*m*ly lon* not*s (t*st** wit* *,***,*** ***r**t*rs). On** su** * not* is *****: ### Imp**t - T** *ntir* **tivi

Reasoning

T** vuln*r**ility is * **ni*l-o*-S*rvi** (*oS) **us** *y * l**k o* s*rv*r-si** v*li**tion *or t** l*n*t* o* v*rious t*xt *i*l*s wit*in M*ntis*T. *n *tt**k*r *oul* su*mit *xtr*m*ly lon* strin*s to *i*l*s su** *s *u* **s*riptions, *u* not*s, *ustom *i*

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-46556: MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length

Impact

Patches

Workarounds

Credits

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI