VYPR
Low severityOSV Advisory· Published Dec 17, 2025· Updated Dec 17, 2025

Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

CVE-2025-13352

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd01410.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermostGo
< 10.11.7-0.20251106103514-3b05384dd01410.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermostGo
>= 11.0.0-alpha.1, < 11.1.011.1.0
github.com/mattermost/mattermost-plugin-githubGo
< 1.0.1-0.20250829075715-0deffcfc6bee1.0.1-0.20250829075715-0deffcfc6bee

Affected products

5

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.