Cyber Resilience

CVE-2025-20630

Medium

Published: 16 January 2025

Published
16 January 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20630 is a medium-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Mattermost Mattermost Mobile. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

Mattermost Mobile versions <=2.22.0 are affected by CVE-2025-20630, a vulnerability where the app fails to properly handle posts with attachments containing fields that cannot be cast to a String. This flaw allows an attacker to crash the mobile application by creating and sending such a malformed post to a channel. The issue is rated 6.5 on CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1287.

Attackers require low privileges as an authenticated user (PR:L) and can exploit it remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a denial-of-service condition, crashing the Mattermost Mobile app for all recipients viewing the channel, with high availability impact (A:H) but no compromise of confidentiality or integrity.

The Mattermost security updates page at https://mattermost.com/security-updates details the vulnerability and mitigation, recommending an upgrade to Mattermost Mobile version 2.23.0 or later, which resolves the improper handling of non-String fields in attachments.

EU & UK References

Vulnerability details

Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability directly enables remote DoS by exploiting improper input handling in the mobile client application, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20072Same product: Mattermost Mattermost Mobile
CVE-2026-2454Same vendor: Mattermost
CVE-2025-20621Same vendor: Mattermost
CVE-2026-24458Same vendor: Mattermost
CVE-2026-20719Same vendor: Mattermost
CVE-2024-48858Shared CWE-1287
CVE-2025-20251Shared CWE-1287
CVE-2026-20074Shared CWE-1287
CVE-2025-24490Same vendor: Mattermost
CVE-2025-14273Same vendor: Mattermost

Affected Assets

mattermost
mattermost mobile
≤ 2.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires input validation at critical points, directly preventing crashes from malformed attachment fields that cannot be cast to String in Mattermost Mobile.

prevent

SI-11 mandates error handling without unhandled exceptions, addressing the app crash triggered by improper type casting of attachment fields.

prevent

SI-2 ensures timely identification and remediation of flaws like the non-String field handling vulnerability via upgrades to version 2.23.0 or later.

References