CVE-2025-31363Improper Validation of Generative AI Output in Mattermost Mattermost-server

CWE-1426Improper Validation of Generative AI OutputCWE-201Sensitive Info Insertion into Sent DataCWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere5 documents4 sources
Severity
6.5MEDIUMNVD
CNA3.0
EPSS
0.2%
top 63.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedApr 16
Latest updateApr 22

Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.10+2
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.10+incompatible+2
CVEListV5mattermost/mattermost10.4.010.4.2+2

🔴Vulnerability Details

4
OSV
Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server2025-04-22
OSV
Mattermost doesn't restrict domains LLM can request to contact upstream2025-04-16
GHSA
Mattermost doesn't restrict domains LLM can request to contact upstream2025-04-16
CVEList
Data exfiltration via AI plugin Jira tool2025-04-16
CVE-2025-31363 — MEDIUM severity | cvebase