CVE-2025-11681: Denial of Service condition in M-Files Server

DESCRIPTION

Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2, and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.

AFFECTED PRODUCTS

M-Files Server before 25.11.15392.1
M-Files Server before 25.2 LTS  SR2 (25.2.14524.13)
M-Files Server before 25.8 LTS  SR2 (25.8.15085.17)

MORE INFORMATION

Calling a specific gRPC method with a specific request type results in MFserver crash.

CVSS 4.0 CVSS-Base Score: 7.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400 Uncontrolled Resource Consumption

CAPEC: CAPEC-492 Regular Expression Exponential Blowup

Internal ID: CFO-440

Date issued: 2025-11-17

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-11681

https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-197786

HISTORY

2025-11-17 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X