PT-2025-16572 · Mattermost · Mattermost

Juho Forsén

Published

2025-04-16

Updated

2025-04-23

CVE-2025-31363

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.9 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0

Description The issue allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool. This is due to the failure to restrict domains that the LLM can request to contact upstream.

Recommendations For versions 9.11.x through 9.11.9, consider disabling the AI plugin's Jira tool until a patch is available. For versions 10.4.x through 10.4.2, restrict access to the Jira tool to minimize the risk of exploitation. For versions 10.5.x through 10.5.0, avoid using the AI plugin's Jira tool until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-201CWE-1426CWE-497

Related Identifiers

CVE-2025-31363

GHSA-9H6J-4FFX-CM84

GO-2025-3622

OPENSUSE-SU-2025:15017-1

Affected Products

Mattermost

PT-2025-16572 · Mattermost · Mattermost

CVE-2025-31363

Weakness Enumeration

Related Identifiers

Affected Products

References · 38