-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost-server | go | >= 10.8.0, <= 10.8.3 | 10.8.4 |
| github.com/mattermost/mattermost-server | go | >= 10.5.0, <= 10.5.8 | 10.5.9 |
| github.com/mattermost/mattermost-server | go | >= 10.9.0, <= 10.9.3 | 10.9.4 |
| github.com/mattermost/mattermost-server | go | = 10.10.0 | 10.10.1 |
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20250708173752-d6b35c41f0ae5 | 8.0.0-20250708173752-d6b35c41f0ae5 |
| github.com/mattermost/mattermost-server | go | >= 9.11.0, <= 9.11.17 | 9.11.18 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the bulk import feature of Mattermost, where unvalidated data can lead to a server crash. The root cause is a NULL pointer dereference due to missing validation of the ThreadFollowers field in imported post data. The functions ValidatePostImportData and ValidateDirectPostImportData in server/channels/app/imports/import_validators.go were identified as vulnerable because they were responsible for validating the import data but failed to check the integrity of the ThreadFollowers. An attacker with system admin privileges could exploit this by crafting a malicious import file. When the server attempts to process this file, it would encounter a nil value where a user object was expected, leading to a panic and a denial of service. The patch addresses this by introducing a new validation function, ValidateThreadFollowerImportData, and calling it from within the two vulnerable functions to ensure that the ThreadFollowers data is valid before it is processed.
GoGoOngoing coverage of React2Shell