Low severityOSV Advisory· Published Dec 17, 2025· Updated Dec 17, 2025

Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

CVE-2025-13352

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	>= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014	10.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermostGo	< 10.11.7-0.20251106103514-3b05384dd014	10.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermostGo	>= 11.0.0-alpha.1, < 11.1.0	11.1.0
github.com/mattermost/mattermost-plugin-githubGo	< 1.0.1-0.20250829075715-0deffcfc6bee	1.0.1-0.20250829075715-0deffcfc6bee

Affected products

Mattermost/Mattermost ServerOSV
Range: @mattermost/client@10.11.0, @mattermost/types@10.11.0, mattermost-redux@10.11.0, …

Patches

3b05384dd014

Update github prepackaged version (#34409)

https://github.com/mattermost/mattermostMaria A NunezNov 6, 2025via ghsa

commit

1 file changed · +1 −1

server/Makefile+1 −1 modified

@@ -143,7 +143,7 @@ TEMPLATES_DIR=templates
 # Plugins Packages
 PLUGIN_PACKAGES ?= $(PLUGIN_PACKAGES:)
 PLUGIN_PACKAGES += mattermost-plugin-calls-v1.10.0
-PLUGIN_PACKAGES += mattermost-plugin-github-v2.4.0
+PLUGIN_PACKAGES += mattermost-plugin-github-v2.5.0
 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.10.0
 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.3.0
 # We need to prepackage both versions of playbooks and install the correct one based on the server license. See MM-60025.

0deffcfc6bee

Add plugin bot id check to reaction mapper (#925)

https://github.com/mattermost/mattermost-plugin-githubAbbas Mehdi NaqviAug 29, 2025via ghsa

commit

1 file changed · +4 −0

server/plugin/plugin.go+4 −0 modified

@@ -321,6 +321,10 @@ func (p *Plugin) getPostPropsForReaction(reaction *model.Reaction) (org, repo st
 		return org, repo, id, objectType, false
 	}
 
+	if post.UserId != p.BotUserID {
+		return org, repo, id, objectType, false
+	}
+
 	// Getting the Github repository from notification post props
 	repo, ok = post.GetProp(postPropGithubRepo).(string)
 	if !ok || repo == "" {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000