Moderate severityOSV Advisory· Published Dec 24, 2025· Updated Dec 24, 2025
Mattermost Jira plugin crafted action leaks Jira issue details
CVE-2025-64641
Description
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251121122154-b57c297c6d7 | 8.0.0-20251121122154-b57c297c6d7 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.8 | 10.11.8 |
github.com/mattermost/mattermost-serverGo | >= 10.12.0, < 10.12.4 | 10.12.4 |
github.com/mattermost/mattermost-serverGo | >= 11.0.0, < 11.0.6 | 11.0.6 |
github.com/mattermost/mattermost-serverGo | >= 11.1.0, < 11.1.1 | 11.1.1 |
Affected products
4- Range: @mattermost/client@10.11.0, @mattermost/client@10.12.0, @mattermost/client@11.0.4, …
- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 10.11.0, < 10.11.8+ 2 more
- (no CPE)range: >= 10.11.0, < 10.11.8
- (no CPE)range: < 8.0.0-20251121122154-b57c297c6d7
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-vww6-79rv-3j4xghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-64641ghsaADVISORY
- github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deeeghsaWEB
- github.com/mattermost/mattermost/pull/34551ghsaWEB
- pkg.go.dev/vuln/GO-2026-4260ghsaWEB
News mentions
0No linked articles in our index yet.