CVE-2024-1953

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

Published: Feb 29, 2024
Updated: May 4, 2025
CVE: CVE-2024-1953
GHSA: GHSA-vm9m-57jr-4pxh
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-400
CWE-770

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	9.4.0	9.4.2
github.com/mattermost/mattermost/server/v8	9.3.0	9.3.1
github.com/mattermost/mattermost/server/v8	9.2.0	9.2.5
github.com/mattermost/mattermost/server/v8	-	8.1.9
mattermost / mattermost_server	8.1.0	8.1.9
mattermost / mattermost_server	9.4.0	9.4.2
mattermost / mattermost_server	9.2.0	9.2.5
mattermost / mattermost_server	9.3.0	9.3.0.x

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2024-1953