CVE-2025-35965 is a medium-severity vulnerability affecting Mattermost versions 9.11.0 through 9.11.10, 10.4.0 through 10.4.2, and 10.5.0. The flaw resides in the UpdateRunTaskActions GraphQL operation, which fails to properly validate the uniqueness and quantity of task actions associated with specific posts. This lack of validation allows an attacker to create task items containing an excessive number of actions without any throttling or resource allocation limits. Consequently, the server becomes overloaded due to the processing of these excessive task actions, leading to a denial-of-service (DoS) condition. The vulnerability is categorized under CWE-770, which relates to allocation of resources without limits or throttling, a common cause of resource exhaustion attacks. Exploitation does not require authentication or user interaction, as the GraphQL endpoint can be accessed remotely. There are no known exploits in the wild at the time of publication, and no official patches have been released yet. The vulnerability was publicly disclosed on April 24, 2025, and has been enriched by CISA for awareness. The attack vector involves sending crafted GraphQL requests that trigger the creation of numerous task actions, overwhelming server resources such as CPU and memory, potentially causing service disruption or downtime for Mattermost deployments.

For European organizations using vulnerable versions of Mattermost, this vulnerability poses a significant risk of service disruption due to denial-of-service conditions. Mattermost is widely used as a collaboration and messaging platform in enterprises, government agencies, and critical infrastructure sectors. A successful DoS attack could interrupt internal communications, delay incident response, and degrade productivity. Organizations in sectors such as finance, healthcare, public administration, and telecommunications are particularly vulnerable due to their reliance on continuous, secure communication channels. Additionally, the disruption could indirectly impact data integrity and availability of dependent services. Since the vulnerability can be exploited remotely without authentication, attackers can launch attacks from outside the network perimeter, increasing the threat surface. The lack of throttling means that even a low number of malicious requests could escalate resource consumption rapidly, amplifying the impact. Given the strategic importance of communication platforms in European digital infrastructure, this vulnerability could affect operational continuity and trust in digital services.

1. Immediate mitigation involves upgrading Mattermost to a version where this vulnerability is patched once available. In the absence of an official patch, organizations should implement strict rate limiting and request throttling on GraphQL endpoints, especially the UpdateRunTaskActions operation, to prevent excessive task action creation. 2. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block anomalous GraphQL requests that contain unusually high numbers of task actions. 3. Monitor server resource utilization closely and set up alerts for unusual spikes in CPU, memory, or task queue lengths related to Mattermost services. 4. Restrict access to the GraphQL API to trusted networks or authenticated users where possible, even though the vulnerability does not require authentication, to reduce exposure. 5. Conduct regular security assessments and penetration tests focusing on GraphQL endpoints to identify similar resource exhaustion risks. 6. Implement network-level protections such as IP reputation filtering and geo-blocking to limit exposure to potential attackers from high-risk regions. 7. Educate IT and security teams about this specific vulnerability and ensure incident response plans include steps to mitigate DoS attacks targeting collaboration platforms.