Gian Klug

**Name of the Vulnerable Software and Affected Versions** Mattermost Mobile versions prior to 2.13.0 **Description** The issue is related to uncontrolled resource consumption, where the syntax highlighter fails to limit the size of the code block it processes. This allows an attacker to send a very large code block, potentially crashing the mobile app. **Recommendations** For versions prior to 2.13.0, update to version 2.13.0 or later to resolve the issue. As a temporary workaround, consider restricting the size of code blocks that can be processed by the syntax highlighter to prevent excessive resource consumption.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to v8.1.9 **Description** The issue is related to uncontrolled resource consumption. An attacker can exploit this by setting a custom user status with an emoji value as a very long string, causing high resource consumption and possibly crashing the server. This can be done by sending multiple times a very long string as an emoji value. **Recommendations** For versions prior to v8.1.9, update to version v8.1.9 or later to resolve the issue. As a temporary workaround, consider restricting the length of the emoji value in the custom user status to prevent high resource consumption. Restrict access to the custom user status feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to v8.1.8 **Description** The issue arises from the failure to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post. This allows an attacker to send a huge amount of non-existent custom emojis in a post, potentially crashing the mobile app of a user seeing the post and overloading the server when clients attempt to retrieve the post. This results in Uncontrolled Resource Consumption. **Recommendations** For Mattermost versions prior to v8.1.8, update to version v8.1.8 or later to resolve the issue. As a temporary workaround, consider restricting the amount of custom emojis that can be added to a post to prevent overloading. Additionally, limiting the number of reactions fetched for a post can help mitigate the risk of crashing the mobile app or server.