CVE-2024-1402

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to v8.1.8

Description The issue arises from the failure to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post. This allows an attacker to send a huge amount of non-existent custom emojis in a post, potentially crashing the mobile app of a user seeing the post and overloading the server when clients attempt to retrieve the post. This results in Uncontrolled Resource Consumption.

Recommendations For Mattermost versions prior to v8.1.8, update to version v8.1.8 or later to resolve the issue. As a temporary workaround, consider restricting the amount of custom emojis that can be added to a post to prevent overloading. Additionally, limiting the number of reactions fetched for a post can help mitigate the risk of crashing the mobile app or server.