Vulnerability in Mattermost

CVE-2025-0503

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

EPSS: 0.002 (14.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-0503?
CVE-2025-0503 is a low-severity vulnerability in Mattermost, classified under Improper Check for Unusual or Exceptional Conditions. CVSS score: 3.1/10. Published 2025-02-14.
How severe is CVE-2025-0503?
Low severity. CVSS v3 base score is 3.1 out of 10.