CVE-2025-35965

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0

Description The issue arises from the failure to validate the uniqueness and quantity of task actions within the "UpdateRunTaskActions" GraphQL operation. This allows an attacker to create task items that contain an excessive number of actions triggered by specific posts, leading to a denial-of-service (DoS) condition by overloading the server.

Recommendations For versions 9.11.x through 9.11.10, update to a version that includes the fix for this issue. For versions 10.4.x through 10.4.2, update to a version that includes the fix for this issue. For versions 10.5.x through 10.5.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "UpdateRunTaskActions" GraphQL operation to minimize the risk of exploitation.