Low severityNVD Advisory· Published Feb 24, 2025· Updated Feb 24, 2025
Session Persistence After User-to-Bot Conversion
CVE-2025-1412
Description
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20241217145510-faa7e4f2ea0c | 8.0.0-20241217145510-faa7e4f2ea0c |
github.com/mattermost/mattermost/server/v8Go | >= 10.4.0-rc1, < 10.4.2 | 10.4.2 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0-rc1, < 9.11.7 | 9.11.7 |
Affected products
1- Range: 9.11.0
Patches
1faa7e4f2ea0cMM-62188 - Revoke user sessions when converted to bot (#29573)
2 files changed · +19 −2
server/channels/app/bot.go+4 −0 modified@@ -614,5 +614,9 @@ func (a *App) ConvertUserToBot(rctx request.CTX, user *model.User) (*model.Bot, return nil, model.NewAppError("CreateBot", "app.bot.createbot.internal_error", nil, "", http.StatusInternalServerError).Wrap(err) } } + if err := a.RevokeAllSessions(rctx, user.Id); err != nil { + return nil, err + } + return bot, nil }
server/channels/app/bot_test.go+15 −2 modified@@ -872,21 +872,34 @@ func TestConvertUserToBot(t *testing.T) { }) }) - t.Run("valid user", func(t *testing.T) { + t.Run("valid user and session revoked", func(t *testing.T) { th := Setup(t).InitBasic() defer th.TearDown() + session, err := th.App.CreateSession(th.Context, &model.Session{UserId: th.BasicUser.Id, Props: model.StringMap{}}) + require.Nil(t, err) + + // make sure session is valid + testSession, err := th.App.GetSession(session.Token) + require.Nil(t, err) + require.False(t, testSession.IsExpired()) + bot, err := th.App.ConvertUserToBot(th.Context, &model.User{ Username: "username", Id: th.BasicUser.Id, }) require.Nil(t, err) defer func() { - err := th.App.PermanentDeleteBot(th.Context, bot.UserId) + err = th.App.PermanentDeleteBot(th.Context, bot.UserId) require.Nil(t, err) }() assert.Equal(t, "username", bot.Username) assert.Equal(t, th.BasicUser.Id, bot.OwnerId) + + // make sure session is no longer valid + _, err = th.App.GetSession(session.Token) + require.NotNil(t, err) + require.Equal(t, "api.context.invalid_token.error", err.Id) }) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.