CVE-2025-20072

Medium

Published: 16 January 2025

Published

16 January 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0023 45.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20072 is a medium-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Mattermost Mattermost Mobile. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the failure to validate the style property in post.props.attachments, preventing crashes from crafted malicious input in the mobile app.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the input validation flaw through patching Mattermost Mobile to versions beyond 2.22.0.

SI-11 Error Handling partial match

prevent

Mandates proper error handling for invalid proto styles to avoid application crashes and ensure graceful degradation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables crafted input to trigger client application crash (DoS) via type confusion in post attachment handling, directly matching application exploitation for endpoint denial of service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.

Deeper analysisAI

CVE-2025-20072 affects Mattermost Mobile versions up to and including 2.22.0. The vulnerability stems from a failure to properly validate the style property of proto supplied to an action's style in post.props.attachments. This issue, published on 2025-01-16 and associated with CWE-704 (Incorrect Type Conversion or Cast), carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.

An attacker requires low privileges, such as those of an authenticated user on a Mattermost server, to exploit the vulnerability over the network. Exploitation involves low complexity and no user interaction, allowing the attacker to deliver crafted malicious input that crashes the victim's Mattermost Mobile application, resulting in a denial-of-service condition without affecting confidentiality or integrity.

Mattermost has published security updates addressing this issue at https://mattermost.com/security-updates, where practitioners can find details on patches and mitigation steps.

Details

CWE(s): CWE-704

Affected Products

mattermost

mattermost mobile

≤ 2.23.0

CVEs Like This One

CVE-2025-20630Same product: Mattermost Mattermost Mobile

CVE-2026-24458Same vendor: Mattermost

CVE-2026-20719Same vendor: Mattermost

CVE-2026-2454Same vendor: Mattermost

CVE-2025-20621Same vendor: Mattermost

CVE-2026-40613Shared CWE-704

CVE-2026-1046Same vendor: Mattermost

CVE-2025-24490Same vendor: Mattermost

CVE-2026-2476Same vendor: Mattermost

CVE-2025-12421Same vendor: Mattermost

References

https://mattermost.com/security-updates
Vendor Advisory · responsibledisclosure@mattermost.com