Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection

GHSA-jf5h-xfw4-p8gp · CVE-2025-13352 · GO-2025-4247

Published Dec 17, 2025 · Modified Dec 22, 2025

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13352
WEB https://github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c
WEB https://github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055d
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes