CVE-2025-20630 - Vulnerability Details - OpenCVE

Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost Mobile

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Wed, 24 Sep 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Mobile
CPEs		cpe:2.3:a:mattermost:mattermost_mobile::::::::
Vendors & Products		Mattermost Mattermost mattermost Mobile

Thu, 16 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 18:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
Title		Mobile crash via object that can't be cast to String in Attachment Field
Weaknesses		CWE-1287
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2025-01-16T18:18:58.742Z

Updated: 2025-01-16T18:55:51.501Z

Reserved: 2025-01-16T18:10:41.938Z

Link: CVE-2025-20630

Vulnrichment

Updated: 2025-01-16T18:55:47.108Z

NVD

Status : Analyzed

Published: 2025-01-16T19:15:30.110

Modified: 2025-09-24T16:42:32.640

Link: CVE-2025-20630

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-20630", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-01-16T18:10:41.938Z", "datePublished": "2025-01-16T18:18:58.742Z", "dateUpdated": "2025-01-16T18:55:51.501Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "<=2.22.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.23.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "c0rydoras (c0rydoras)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."}], "value": "Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-16T18:18:58.742Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile to version 2.23.0 or higher.</p>"}], "value": "Update Mattermost Mobile to version 2.23.0 or higher."}], "source": {"advisory": "MMSA-2024-00390", "defect": ["https://mattermost.atlassian.net/browse/MM-61161"], "discovery": "EXTERNAL"}, "title": "Mobile crash via object that can't be cast to String in Attachment Field", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T18:54:57.228284Z", "id": "CVE-2025-20630", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T18:55:51.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-20630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-16T18:54:57.228284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T18:55:47.108Z"}}], "cna": {"title": "Mobile crash via object that can't be cast to String in Attachment Field", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-61161"], "advisory": "MMSA-2024-00390", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "c0rydoras (c0rydoras)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "<=2.22.0"}, {"status": "unaffected", "version": "2.23.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Mobile to version 2.23.0 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Mobile to version 2.23.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.", "supportingMedia": [{"type": "text/html", "value": "Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-16T18:18:58.742Z"}}}, "cveMetadata": {"cveId": "CVE-2025-20630", "state": "PUBLISHED", "dateUpdated": "2025-01-16T18:55:51.501Z", "dateReserved": "2025-01-16T18:10:41.938Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-01-16T18:18:58.742Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25", "versionEndExcluding": "2.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."}, {"lang": "es", "value": "Las versiones de Mattermost Mobile <=2.22.0 no gestionan adecuadamente las publicaciones con archivos adjuntos que contienen campos que no se pueden convertir a una cadena, lo que permite a un atacante provocar que el m\u00f3vil se bloquee al crear y enviar dicha publicaci\u00f3n a un canal."}], "id": "CVE-2025-20630", "lastModified": "2025-09-24T16:42:32.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-16T19:15:30.110", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1287"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}