Low severityOSV Advisory· Published Dec 17, 2025· Updated Dec 17, 2025
Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking
CVE-2025-13352
Description
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014 | 10.11.7-0.20251106103514-3b05384dd014 |
github.com/mattermost/mattermostGo | < 10.11.7-0.20251106103514-3b05384dd014 | 10.11.7-0.20251106103514-3b05384dd014 |
github.com/mattermost/mattermostGo | >= 11.0.0-alpha.1, < 11.1.0 | 11.1.0 |
github.com/mattermost/mattermost-plugin-githubGo | < 1.0.1-0.20250829075715-0deffcfc6bee | 1.0.1-0.20250829075715-0deffcfc6bee |
Affected products
5- Range: @mattermost/client@10.11.0, @mattermost/types@10.11.0, mattermost-redux@10.11.0, …
- ghsa-coords4 versionspkg:golang/github.com/mattermost/mattermostpkg:golang/github.com/mattermost/mattermost-plugin-githubpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 10.11.7-0.20251106103514-3b05384dd014+ 3 more
- (no CPE)range: < 10.11.7-0.20251106103514-3b05384dd014
- (no CPE)range: < 1.0.1-0.20250829075715-0deffcfc6bee
- (no CPE)range: >= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jf5h-xfw4-p8gpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13352ghsaADVISORY
- github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68cghsaWEB
- github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055dghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.