CVE-2025-13352: Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
References
- github.com/advisories/GHSA-jf5h-xfw4-p8gp
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c
- github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055d
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-13352
Code Behaviors & Features
Detect and mitigate CVE-2025-13352 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →