Vulnerability in Mattermost
CVE-2025-0503
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
EPSS: 0.002 (14.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.
Affected products
- Mattermost — versions 9.11.0, 10.4.0, 9.11.7
- Mattermost Mattermost_server
Weakness classification (CWE)
References
- responsibledisclosure@mattermost.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2025-0503?
- CVE-2025-0503 is a low-severity vulnerability in Mattermost, classified under Improper Check for Unusual or Exceptional Conditions. CVSS score: 3.1/10. Published 2025-02-14.
- How severe is CVE-2025-0503?
- Low severity. CVSS v3 base score is 3.1 out of 10.