CVE-2025-13352 LOW

CVE-2025-13352: Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

Vendor Mattermost
Product Mattermost
Weakness CWE-1287
Published December 17, 2025
Last update December 17, 2025

CVSS base score

3.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
December 17, 2025 Record updated