Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

Affected Packages

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.4.0 (fixed in 9.4.2)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.3.0 (fixed in 9.3.1)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.2.0 (fixed in 9.2.5)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 0 (fixed in 8.1.9)

Related CVEs

CVE-2024-1953

Key Information

GHSA ID

GHSA-vm9m-57jr-4pxh

Published

February 29, 2024 12:31 PM

Last Modified

December 13, 2024 8:29 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/mattermost/mattermost/server/v8

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 2, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.