CVE-2025-41395

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0

Description The issue arises from the failure to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin. This allows an attacker to create a specially crafted post with maliciously crafted props, causing a denial of service (DoS) of the web app for all users.

Recommendations For versions 9.11.x through 9.11.10, update to a version later than 9.11.10 to resolve the issue. For versions 10.4.x through 10.4.2, update to a version later than 10.4.2 to resolve the issue. For versions 10.5.x through 10.5.0, update to a version later than 10.5.0 to resolve the issue. As a temporary workaround, consider disabling the RetrospectivePost custom post type in the Playbooks plugin until a patch is available.