PT-2025-45766 — Allocation of Resources Without Limits in Packagist Mantisbt/Mantisbt

PT-2025-45766 · Packagist · Mantisbt/Mantisbt

Published

2025-11-03

Updated

2025-11-03

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:

Impact

The entire activity stream becomes unviewable (UI fails to render).
New notes cannot be displayed, effectively breaking all future collaboration on the issue.

Patches

Fixed in 2.27.2.

Workarounds

None

Credits

Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

GHSA-R3JF-HM7Q-QFW5

Affected Products

Mantisbt/Mantisbt