CVE-2025-2571 — Incorrect Implementation of Authentication Algorithm in Mattermost Mattermost-server

CWE-303 — Incorrect Implementation of Authentication Algorithm CWE-122 — Heap-based Buffer Overflow6 documents5 sources

Severity

4.2MEDIUMNVD

EPSS

0.2%

top 61.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMay 30

Latest updateJun 3

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.13+3

▶Gogithub.com/mattermost_mattermost-server9.0.0-rc1+incompatible — 9.11.13+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.7.0-rc1 — 10.7.1+4

▶CVEListV5mattermost/mattermost10.6.0 — 10.6.2+3

🔴Vulnerability Details

OSV

Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server↗2025-06-03

▶

GHSA

Mattermost fails to clear Google OAuth credentials↗2025-05-30

▶

CVEList

Google OAuth Authentication Bypass for Converted Bot Accounts↗2025-05-30

▶

OSV

Mattermost fails to clear Google OAuth credentials↗2025-05-30

▶

📋Vendor Advisories

Microsoft

Heap-based Buffer Overflow in vim/vim↗2022-08-09

▶