CVE-2025-12421
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12421, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-27

Last updated on: 2025-12-03

Assigner: Mattermost, Inc.

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-27
Last Modified
2025-12-03
Generated
2026-07-06
AI Q&A
2025-11-27
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.5.0 (inc) to 10.5.13 (exc)
mattermost mattermost_server From 10.11.0 (inc) to 10.11.5 (exc)
mattermost mattermost_server From 10.12.0 (inc) to 10.12.2 (exc)
mattermost mattermost_server From 11.0.0 (inc) to 11.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Mattermost versions up to 11.0.2 and certain 10.x versions occurs because the system fails to verify that the token used during the code exchange is from the same authentication flow. This flaw allows an authenticated user to take over another user's account by using a specially crafted email address when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires the ExperimentalEnableAuthenticationTransfer setting to be enabled and the RequireEmailVerification setting to be disabled.

Impact Analysis

This vulnerability can lead to a complete account takeover by an authenticated user, potentially allowing unauthorized access to sensitive information, impersonation of other users, and full control over the affected accounts. Given the high CVSS score of 9.9, the impact includes confidentiality, integrity, and availability being severely compromised.

Mitigation Strategies

To mitigate this vulnerability, ensure that the ExperimentalEnableAuthenticationTransfer setting is disabled or verify that RequireEmailVerification is enabled. Additionally, upgrade Mattermost to a version later than 11.0.2, 10.12.1, 10.11.4, or 10.5.12 as applicable to your version series.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart