x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf

Advisory [GHSA-689c-xq7x-xjwf](https://github.com/advisories/GHSA-689c-xq7x-xjwf) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/mattermost/mattermost-plugin-playbooks](https://pkg.go.dev/github.com/mattermost/mattermost-plugin-playbooks) |

Description:
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

References:
- ADVISORY: https://github.com/advisories/GHSA-689c-xq7x-xjwf
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-35965
- FIX: https://github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8
- FIX: https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
- WEB: https://mattermost.com/security-updates

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-plugin-playbooks
      versions:
        - fixed: 1.41.0
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 2.0.0, < 2.1.1")
        - introduced: TODO (earliest fixed "", vuln range ">= 9.11.0, < 9.11.11")
        - introduced: TODO (earliest fixed "", vuln range ">= 10.5.0, < 10.5.1")
        - introduced: TODO (earliest fixed "", vuln range ">= 10.4.0, < 10.4.3")
        - fixed: 8.0.0-20250218121836-2b5275d87136
      vulnerable_at: 1.40.0
summary: |-
    Mattermost Playbooks fails to validate the uniqueness and quantity of task
    actions in github.com/mattermost/mattermost-plugin-playbooks
cves:
    - CVE-2025-35965
ghsas:
    - GHSA-689c-xq7x-xjwf
references:
    - advisory: https://github.com/advisories/GHSA-689c-xq7x-xjwf
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-35965
    - fix: https://github.com/mattermost/mattermost-plugin-playbooks/commit/bf2633dad09f5768ce2bea4b7c5ffb74050052a8
    - fix: https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
    - web: https://mattermost.com/security-updates
notes:
    - fix: 'module merge error: could not merge versions of module github.com/mattermost/mattermost-plugin-playbooks: invalid or non-canonical semver version (found TODO (earliest fixed "", vuln range ">= 9.11.0, < 9.11.11"))'
source:
    id: GHSA-689c-xq7x-xjwf
    created: 2025-04-24T17:01:53.505440991Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions