CVE-2025-21088

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.5 Mattermost versions 10.0.x through 10.0.3 Mattermost versions 10.1.x through 10.1.3 Mattermost versions 10.2.x through 10.2.0

Description The issue arises from the failure to properly validate the style of proto supplied to an action's style in post.props.attachments. This allows an attacker to crash the frontend via crafted malicious input.

Recommendations For versions 9.11.x through 9.11.5, consider disabling the processing of attachments in post.props until a patch is available. For versions 10.0.x through 10.0.3, restrict access to the post.props.attachments feature to minimize the risk of exploitation. For versions 10.1.x through 10.1.3, avoid using the style attribute in post.props.attachments until the issue is resolved. For versions 10.2.x through 10.2.0, as a temporary workaround, consider disabling the frontend when handling crafted malicious input until a patch is available.