PT-2025-42444 · Mattermost · Mattermost

Doyensec

Published

2025-10-16

Updated

2025-11-07

CVE-2025-54499

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2

Description The software does not employ constant-time comparison for sensitive string comparisons, creating a timing oracle. This allows attackers to exploit timing differences during response time analysis to perform byte-by-byte brute force attacks on Cloud API keys and OAuth client secrets.

Recommendations Update Mattermost to a version beyond 10.5.10. Update Mattermost to a version beyond 10.11.2.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

BDU:2025-13339

CVE-2025-54499

GHSA-XR3W-RMVJ-F6M7

GO-2025-4036

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42444 · Mattermost · Mattermost

CVE-2025-54499

Weakness Enumeration

Related Identifiers

Affected Products

References · 85