CVE-2025-13352

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-13352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-13352

Aliases

Downstream

SUSE-SU-2026:0037-1

Related

SUSE-SU-2026:0037-1

Published

2025-12-17T13:15:56.627Z

Modified

2026-03-23T05:03:38.092493117Z

Severity

3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

5b955468ea1ea8b56c0fb10feb258a36a767d7bb

Fixed

9d74b930db166e933d66d1873fb87afa6bc3e600

Database specific

{
    "versions": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.7"
        }
    ]
}

Affected versions

@mattermost/client@10.*

@mattermost/client@10.11.0

@mattermost/types@10.*

@mattermost/types@10.11.0

mattermost-redux@10.*

mattermost-redux@10.11.0

v10.*

v10.11.0

v10.11.0-rc3

v10.11.1

v10.11.1-rc1

v10.11.2

v10.11.2-rc1

v10.11.2-rc2

v10.11.3

v10.11.4

v10.11.4-rc1

v10.11.4-rc2

v10.11.4-rc3

v10.11.5

v10.11.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13352.json"