CVE-2025-46556
📋 TL;DR
Mantis Bug Tracker versions 2.27.1 and below are vulnerable to a denial-of-service attack where attackers can submit extremely long notes (over 4.7 million characters) that permanently corrupt issue activity logs. This breaks the activity stream UI, preventing display of new notes and effectively halting all future collaboration on affected issues. Organizations using vulnerable MantisBT installations are affected.
💻 Affected Systems
- Mantis Bug Tracker
📦 What is this software?
Mantisbt by Mantisbt
⚠️ Risk & Real-World Impact
Worst Case
Critical issues become permanently unmanageable as collaboration is halted, requiring database-level cleanup to restore functionality.
Likely Case
Attackers disrupt specific bug tracking workflows by making targeted issues unusable for collaboration.
If Mitigated
With proper input validation and length limits, no impact occurs.
🎯 Exploit Status
Exploitation requires authenticated access to submit notes. The attack is simple - just submit an extremely long note via the web interface or API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.27.2
Vendor Advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5
Restart Required: No
Instructions:
1. Backup your MantisBT installation and database. 2. Download version 2.27.2 from the official repository. 3. Replace the existing installation files with the new version. 4. Run the database upgrade script if prompted. 5. Verify the installation works correctly.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock HTTP requests with extremely long note parameters
Configure WAF to block POST requests to /bugnote_add.php with note parameter exceeding 10,000 characters
Database Trigger
allAdd database-level validation to prevent long notes
CREATE TRIGGER validate_note_length BEFORE INSERT ON mantis_bugnote_table FOR EACH ROW BEGIN IF LENGTH(NEW.note) > 10000 THEN SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Note too long'; END IF; END;
🧯 If You Can't Patch
- Implement strict input validation at the application layer to limit note length to reasonable values (e.g., 10,000 characters)
- Restrict note submission permissions to trusted users only and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check if your MantisBT version is 2.27.1 or earlier by viewing the version in the footer or checking the config_inc.php fileCheck Version:
grep '\$g_version' config/config_inc.php || cat mantisbt/core/constant_inc.php | grep 'MANTIS_VERSION'Verify Fix Applied:
After upgrading to 2.27.2, attempt to submit a note longer than 10,000 characters - it should be rejected with an error message📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to bugnote_add.php with extremely large content length (>5MB)
- Database queries inserting unusually long text into bugnote table
Network Indicators:
- Large HTTP POST requests to note submission endpoints
SIEM Query:
source="web_access_logs" AND uri_path="/bugnote_add.php" AND content_length>5000000🔗 References
- https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234
- https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238
- https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5
