CVE-2025-35965 – This vulnerability allows attackers to create t... (How to Fix)

Q: How do I fix CVE-2025-35965?

1. Backup your Mattermost instance. 2. Upgrade to patched version (9.11.11+, 10.4.3+, or 10.5.1+). 3. Restart Mattermost service. 4. Verify upgrade completed successfully.

Q: What is the severity of CVE-2025-35965?

CVE-2025-35965 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to create task items with excessive actions via the UpdateRunTaskActions GraphQL operation, causing server overload and denial-of-service. It affects Mattermost instances running vulnerable versions 9.11.x through 10.5.0. Both authenticated and unauthenticated users could potentially exploit this depending on configuration.

📋 TL;DR

This vulnerability allows attackers to create task items with excessive actions via the UpdateRunTaskActions GraphQL operation, causing server overload and denial-of-service. It affects Mattermost instances running vulnerable versions 9.11.x through 10.5.0. Both authenticated and unauthenticated users could potentially exploit this depending on configuration.

💻 Affected Systems

Products:

Mattermost

Versions: 9.11.x <= 9.11.10, 10.4.x <= 10.4.2, 10.5.x <= 10.5.0

Operating Systems: All platforms running Mattermost

Default Config Vulnerable: ⚠️ Yes

Notes: All Mattermost deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting all users and disrupting business operations.

🟠

Likely Case

Performance degradation and intermittent service disruptions affecting user experience and productivity.

🟢

If Mitigated

Minimal impact with proper rate limiting, monitoring, and updated versions.

🌐 Internet-Facing: HIGH - Publicly accessible Mattermost instances are directly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal users could still cause disruption, though attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of GraphQL endpoints but is technically simple. Unauthenticated access depends on Mattermost configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.11.11, 10.4.3, 10.5.1 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Upgrade to patched version (9.11.11+, 10.4.3+, or 10.5.1+). 3. Restart Mattermost service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Rate Limit GraphQL Operations

all

Implement rate limiting on GraphQL endpoints to prevent excessive requests

Configure rate limiting in Mattermost config.json or via reverse proxy

Restrict GraphQL Access

all

Limit access to GraphQL endpoints to authenticated users only

Update Mattermost configuration to require authentication for API endpoints

🧯 If You Can't Patch

Implement strict rate limiting on all GraphQL endpoints
Monitor server resource usage and set alerts for abnormal spikes

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About or run: mattermost version

Check Version:

mattermost version

Verify Fix Applied:

Verify version is 9.11.11+, 10.4.3+, or 10.5.1+ and test UpdateRunTaskActions with excessive actions

📡 Detection & Monitoring

Log Indicators:

Multiple UpdateRunTaskActions operations in short time
High CPU/memory usage spikes
GraphQL query errors related to task actions

Network Indicators:

Unusual GraphQL request patterns
Multiple POST requests to /api/v4/graphql

SIEM Query:

source="mattermost" AND ("UpdateRunTaskActions" OR "graphql" AND "task") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-35965

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.12% exploit probability (31th percentile)

Published: April 24, 2025

Last Updated: September 29, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35965, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Rate Limit GraphQL Operations

Restrict GraphQL Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities