CVE-2025-20072

Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*

History

24 Sep 2025, 16:46

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mattermost:mattermost_mobile::::::::
Summary		(es) Las versiones de Mattermost Mobile <= 2.22.0 no pueden validar correctamente el estilo del proto suministrado al estilo de una acción en post.props.attachments, lo que permite a un atacante bloquear el móvil a través de una entrada maliciosa manipulada.
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates - Vendor Advisory
First Time		Mattermost mattermost Mobile Mattermost

16 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-16 18:15

Updated : 2025-09-24 16:46

NVD link : CVE-2025-20072

Mitre link : CVE-2025-20072

CVE.ORG link : CVE-2025-20072

JSON object : View

Products Affected

mattermost

mattermost_mobile

CWE

CWE-704

Incorrect Type Conversion or Cast

{"id": "CVE-2025-20072", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-01-16T18:15:28.517", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-704"}]}], "descriptions": [{"lang": "en", "value": "Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."}, {"lang": "es", "value": " Las versiones de Mattermost Mobile <= 2.22.0 no pueden validar correctamente el estilo del proto suministrado al estilo de una acci\u00f3n en post.props.attachments, lo que permite a un atacante bloquear el m\u00f3vil a trav\u00e9s de una entrada maliciosa manipulada."}], "lastModified": "2025-09-24T16:46:59.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25", "versionEndExcluding": "2.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}