CVE-2024-24988: Mattermost denial of service through long emoji value

February 29, 2024 (updated January 10, 2025)

Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.

References

github.com/advisories/GHSA-6mx3-9qfh-77gj
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-24988

Code Behaviors & Features

Detect and mitigate CVE-2024-24988 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →