CVE-2025-54499
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.11 (exc) |
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 10.5.x up to 10.5.10 and 10.11.x up to 10.11.2, where the software fails to use constant-time comparison for sensitive string comparisons. This flaw allows attackers to exploit timing oracles by analyzing response times to perform byte-by-byte brute force attacks on Cloud API keys and OAuth client secrets.
How can this vulnerability impact me? :
An attacker can use this vulnerability to gradually guess sensitive credentials such as Cloud API keys and OAuth client secrets by measuring response times. This can lead to unauthorized access to systems or data protected by these credentials, potentially compromising security.