Primary

Context

Mattermost Denial-of-Service Vulnerability via Zip Bombs in File Uploads

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Mattermost versions 11.4.x through 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11. The issue arises because these versions do not properly validate the sizes of decompressed archive entries during file extraction. This flaw allows authenticated users with file upload permissions to exploit the vulnerability by uploading crafted zip archives containing highly compressed entries, known as zip bombs. These zip bombs can exhaust server memory, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause the server to run out of memory, potentially leading to a crash or significant slowdown, disrupting normal operations and user access.

Remediation

Users can upgrade to Mattermost versions 11.5.0 or 11.6.0 to address this vulnerability.

Added: Mar 26, 2026, 5:23 PM

Updated: Mar 26, 2026, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Denial-of-Service Vulnerability via Zip Bombs in File Uploads

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating