CVE-2025-8402: 
vulnerability analysis and mitigation

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, and 10.9.x <= 10.9.3 contain a vulnerability where the system fails to validate import data. This vulnerability was disclosed on August 21, 2025, and is tracked as CVE-2025-8402 (NVD).

The vulnerability is related to improper validation of specified type of input (CWE-1287) and NULL pointer dereference (CWE-476). The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, high privileges required, no user interaction, unchanged scope, and high impact on availability (NVD).

The vulnerability affects the availability of the Mattermost server, allowing a system administrator to crash the server through the bulk import feature. The impact is limited to system availability, with no direct effect on confidentiality or integrity (NVD).

Organizations should upgrade to versions newer than 10.8.3 for the 10.8.x series, 10.5.8 for the 10.5.x series, 9.11.17 for the 9.11.x series, 10.10.0 for the 10.10.x series, or 10.9.3 for the 10.9.x series (NVD).