CVE-2025-13352
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 10.11.x up to 10.11.6 and Mattermost GitHub plugin versions up to 2.4.0. It occurs because these versions fail to validate the identity of plugin bots during reaction forwarding. This flaw allows attackers to hijack the GitHub reaction feature by sending crafted notification posts, causing users to add reactions to arbitrary GitHub objects without their intent.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to manipulate GitHub reactions on your behalf through crafted notification posts. This could lead to unauthorized reactions being added to GitHub objects, potentially causing confusion, miscommunication, or misuse of reaction features within your GitHub repositories.