CVE-2017-18871: Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names

May 24, 2022 (updated December 3, 2025)

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

References

github.com/advisories/GHSA-jc6w-8r7f-vmp5
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2017-18871

Code Behaviors & Features

Detect and mitigate CVE-2017-18871 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →