Login Sign Up

CVE-2025-13352

3.0 LOW
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to hijack Mattermost's GitHub reaction feature by exploiting improper plugin bot identity validation. Attackers can craft notification posts to make users add reactions to arbitrary GitHub objects without their consent. Affected systems include Mattermost versions 10.11.x up to 10.11.6 and Mattermost GitHub plugin versions up to 2.4.0.

💻 Affected Systems

Products:
  • Mattermost
  • Mattermost GitHub Plugin
Versions: Mattermost 10.11.x <= 10.11.6, GitHub Plugin <= 2.4.0
Operating Systems: All platforms running Mattermost
Default Config Vulnerable: ⚠️ Yes
Notes: Requires GitHub plugin integration to be enabled and configured.

📦 What is this software?

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate GitHub reactions on sensitive repositories, potentially causing confusion, miscommunication, or reputation damage by making users appear to endorse inappropriate content.

🟠

Likely Case

Attackers trick users into adding reactions to GitHub issues or pull requests they didn't intend to, potentially causing minor confusion or embarrassment.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to reaction manipulation only, with no data exposure or system compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to have ability to post crafted notifications in Mattermost channels where GitHub plugin is active.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mattermost 10.11.7 or later, GitHub Plugin 2.4.1 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Update Mattermost to version 10.11.7 or later. 2. Update GitHub plugin to version 2.4.1 or later. 3. Restart Mattermost service.

🔧 Temporary Workarounds

Disable GitHub Plugin

all

Temporarily disable the GitHub plugin integration to prevent exploitation.

mmctl plugin disable com.github.mattermost.plugin-github

Restrict Notification Permissions

all

Limit which users can post notifications in channels with GitHub integration.

🧯 If You Can't Patch

  • Disable GitHub plugin integration entirely.
  • Implement strict access controls on who can post in channels with GitHub integration.

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version with 'mattermost version' command and verify GitHub plugin version in System Console > Plugins.

Check Version:

mattermost version

Verify Fix Applied:

Confirm Mattermost version is 10.11.7+ and GitHub plugin is 2.4.1+ in System Console.

📡 Detection & Monitoring

Log Indicators:

  • Unusual reaction activity from GitHub plugin
  • Multiple reaction events from single notification

Network Indicators:

  • Unexpected GitHub API calls for reaction operations

SIEM Query:

source="mattermost" AND "github" AND "reaction" AND status="success" | stats count by user

📊 Metadata

CVE ID: CVE-2025-13352
CVSS v3 Score: 3.0 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE: CWE-1287
EPSS Score: 0.05% exploit probability (16.6th percentile)
Published: December 17, 2025
Last Updated: December 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13352, you might also want to check these:

CVE-2024-51550 10.0

This CVE describes a data validation/sanitization vulnerability in ABB ASPECT industrial control sys...

Same vulnerability type (CWE-1287)
CVE-2021-32024 9.8

This critical vulnerability allows remote attackers to execute arbitrary code by sending specially c...

Same vulnerability type (CWE-1287)
CVE-2024-4879 9.8

This is a critical input validation vulnerability in ServiceNow's Now Platform that allows unauthent...

Same vulnerability type (CWE-1287)