CVE-2025-13352

CVSS v3.1

3.0

Low

AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.6 Mattermost GitHub plugin versions through 2.4.0

Description The software does not properly validate the identity of plugin bots when forwarding reactions. This allows attackers to misuse the GitHub reaction feature, potentially causing users to add reactions to unintended GitHub objects through specially crafted notification posts. The issue involves reaction forwarding and a lack of proper bot identity verification.

Recommendations Update Mattermost to a version later than 10.11.6. Update the Mattermost GitHub plugin to a version later than 2.4.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1287

Related Identifiers

BDU:2025-16347

CVE-2025-13352

GHSA-JF5H-XFW4-P8GP

GO-2025-4247

SUSE-SU-2026:0037-1

Affected Products

Mattermost

Mattermost Github Plugin

CVE-2025-13352

Weakness Enumeration

Related Identifiers

Affected Products

References · 91