CVE-2025-13352Improper Validation of Specified Type of Input in Mattermost Mattermost

CWE-1287Improper Validation of Specified Type of Input6 documents5 sources
Severity
3.0LOWNVD
EPSS
0.1%
top 80.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Github.com Mattermost MattermostGithub.com Mattermost Mattermost-plugin-githubGithub.com Mattermost Mattermost Server V8+3 more
Timeline
PublishedDec 17
Latest updateDec 22

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages6 packages

Gogithub.com/mattermost_mattermost-plugin-github< 1.0.1-0.20250829075715-0deffcfc6bee
Gogithub.com/mattermost_mattermost11.0.0-alpha.1+incompatible11.1.0+incompatible+2
Gogithub.com/mattermost_mattermost_server_v810.11.0-rc110.11.7-0.20251106103514-3b05384dd014
NVDmattermost/mattermost_server10.11.010.11.7

🔴Vulnerability Details

4
OSV
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost2025-12-22
OSV
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection2025-12-17
GHSA
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection2025-12-17
CVEList
Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking2025-12-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-13352 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13352 — Mattermost Mattermost vulnerability | cvebase