Moderate severityNVD Advisory· Published Apr 16, 2025· Updated Apr 16, 2025
Webhook Secret Exposure via Timing attack in MSteams plugin
CVE-2025-27936
Description
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.2 | 10.5.2 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250314142426-c049748b8863 | 8.0.0-20250314142426-c049748b8863 |
github.com/mattermost/mattermost-plugin-msteamsGo | < 2.1.0 | 2.1.0 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/mattermost-fips-10.5pkg:apk/chainguard/mattermost-fips-10.5-compatpkg:apk/chainguard/mattermost-fips-10.6pkg:apk/chainguard/mattermost-fips-10.6-compatpkg:apk/chainguard/mattermost-fips-10.7pkg:apk/chainguard/mattermost-fips-10.7-compatpkg:apk/chainguard/mattermost-fips-9.11pkg:apk/chainguard/mattermost-fips-9.11-compatpkg:golang/github.com/mattermost/mattermost-plugin-msteamspkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 10 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 10.7.1-r1
- (no CPE)range: < 10.7.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.1.0
- (no CPE)range: >= 10.5.0, < 10.5.2
- (no CPE)range: < 0.0.20250422T181640-1.1
- Range: 10.5.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-2j87-p623-8cc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27936ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2025-3618ghsaWEB
News mentions
0No linked articles in our index yet.