CVE-2025-0503

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-0503

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0503.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-0503

Published

2025-02-14T18:15:23.870Z

Modified

2026-04-10T05:20:17.145505Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

6519009694d3a09586df7632261b441238d91f74

Database specific

{
    "versions": [
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.7"
        }
    ]
}

Affected versions

@mattermost/client@9.*

@mattermost/client@9.11.0

@mattermost/types@9.*

@mattermost/types@9.11.0

v9.*

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.2

v9.11.2-rc1

v9.11.2-rc2

v9.11.3

v9.11.3-rc1

v9.11.3-rc2

v9.11.4

v9.11.4-rc1

v9.11.5

v9.11.5-rc1

v9.11.6

v9.11.6-rc1

v9.11.6-rc2

v9.11.7-rc1

v9.11.7-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0503.json"