PT-2025-45766 — Allocation of Resources Without Limits em Packagist Mantisbt/Mantisbt

PT-2025-45766 · Packagist · Mantisbt/Mantisbt

Publicado

2025-11-03

Atualizado

2025-11-03

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:

Impact

The entire activity stream becomes unviewable (UI fails to render).
New notes cannot be displayed, effectively breaking all future collaboration on the issue.

Patches

Fixed in 2.27.2.

Workarounds

None

Credits

Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.

Correção

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770

Identificadores relacionados

GHSA-R3JF-HM7Q-QFW5

Produtos afetados

Mantisbt/Mantisbt