VDB
CVE-2025-13352
CVE-2025-13352
PUBLISHED
CVSS 3 LOW
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
EPSS 0.05% · 16.8th percentile
Risk Scores
CVSS v3.1
3
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
EPSS Score
0.05%
16.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | mattermost/mattermost/server/v8 | 10.11.0-rc1 |
| github.com | mattermost/mattermost | 11.0.0-alpha.1, 0 |
| mattermost | mattermost_server | 10.11.0 |
| Mattermost | Mattermost | 11.1.0, 10.11.7, 10.11.0 |
| github.com | mattermost/mattermost-plugin-github | 0 |
Timeline
- Dec 17, 2025 CVE Published
- Dec 17, 2025 PoC Published
- Dec 18, 2025 EPSS Score
- Dec 22, 2025 EPSS Score
- Dec 26, 2025 EPSS Score
- Dec 29, 2025 CVE Updated
- Dec 30, 2025 EPSS Score
- Jan 2, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
- Jan 18, 2026 EPSS Score
References
- https://mattermost.com/security-updates url
- https://nvd.nist.gov/vuln/detail/CVE-2025-13352 advisory
- https://github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c url
- https://github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055d url
- https://github.com/mattermost/mattermost package