CVE-2025-54499: Mattermost has an Observable Timing Discrepancy vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.
References
- github.com/advisories/GHSA-xr3w-rmvj-f6m7
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/38208b8f065f0786eac0e968f9d754b91b62878c
- github.com/mattermost/mattermost/commit/97a4c7839cf5610cfe17c52042878aebb7678372
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-54499
Code Behaviors & Features
Detect and mitigate CVE-2025-54499 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →