CVE-2025-71388
Deferred Deferred - Pending Action

Stored XSS via Webhook Token Exposure in StoaChat

Vulnerability report for CVE-2025-71388, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
stoatchat stoatchat From 20241213-1 (inc) to 20250210-1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1. Users with only ViewChannel (read) permission can fetch a channel's webhooks, including their tokens, because the endpoint incorrectly checked for ViewChannel instead of ManageWebhooks. Attackers can use these tokens to send arbitrary messages to the channel, bypassing permissions and impersonating bots or webhooks.

Detection Guidance

This vulnerability can be detected by checking if users with ViewChannel permission can fetch webhook tokens in stoatchat (delta/Revolt) versions before 20250210-1. Review server logs for unauthorized webhook token access or messages sent via retrieved tokens. No specific commands are provided in the context.

Impact Analysis

An attacker could exploit this to send fake messages in your channels, impersonate bots or webhooks, and potentially deceive users into taking harmful actions. This could lead to misinformation, phishing, or unauthorized access to sensitive discussions.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling unauthorized access to webhook tokens, which may allow attackers to send arbitrary messages to channels. This could lead to data breaches or unauthorized data exposure, violating confidentiality and integrity requirements under these regulations.

Mitigation Strategies

Immediately update stoatchat (delta/Revolt) to version 20250210-1 (0.8.2) or later to patch the vulnerability. Review and restrict ViewChannel permissions to prevent unauthorized webhook token access. Monitor channels for suspicious messages sent via webhooks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart