CVE-2025-46556: MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
(updated )
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:
References
- github.com/advisories/GHSA-r3jf-hm7q-qfw5
- github.com/mantisbt/mantisbt
- github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234
- github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238
- github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361
- github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5
- nvd.nist.gov/vuln/detail/CVE-2025-46556
Code Behaviors & Features
Detect and mitigate CVE-2025-46556 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →