CVE-2025-1398: Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection

March 17, 2025

Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.

References

github.com/advisories/GHSA-xmvv-w44w-j8wx
github.com/mattermost/desktop
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-1398

Detect and mitigate CVE-2025-1398 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →