CVE-2025-11579

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-11579
github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:nwaples:rardecode:*:*:*:*:*:go:*:*
History

16 Jan 2026, 20:56

Type Values Removed Values Added
References () https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 - () https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 - Patch
First Time Nwaples
Nwaples rardecode
CPE cpe:2.3:a:nwaples:rardecode:*:*:*:*:*:go:*:*

02 Dec 2025, 10:16

Type Values Removed Values Added
Summary (en) Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to (en) github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
CVSS v2 : unknown
v3 : 3.1 		v2 : unknown
v3 : 5.3
CWE CWE-306 CWE-789
References
  • {'url': 'https://mattermost.com/security-updates', 'source': 'responsibledisclosure@mattermost.com'}
  • () https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 -

27 Nov 2025, 12:15

Type Values Removed Values Added
CWE CWE-789 CWE-306
References
  • {'url': 'https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9', 'source': 'responsibledisclosure@mattermost.com'}
  • () https://mattermost.com/security-updates -
CVSS v2 : unknown
v3 : 5.3 		v2 : unknown
v3 : 3.1
Summary (en) github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash. (en) Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

10 Oct 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-10-10 12:15

Updated : 2026-01-16 20:56

NVD link : CVE-2025-11579

Mitre link : CVE-2025-11579

CVE.ORG link : CVE-2025-11579

JSON object : View

Products Affected

nwaples

  • rardecode
CWE
CWE-789

Memory Allocation with Excessive Size Value