10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12419

GHSA ID

GHSA-3x39-62h4-f8j6

EPSS Score

0.00067%

CWE

CWE-287

Published

11/27/2025

Updated

12/1/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12419

CVE-2025-12419: Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-12419

CVE-2025-12419:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12419

GHSA ID

GHSA-3x39-62h4-f8j6

EPSS Score

0.00067%

CWE

CWE-287

Published

11/27/2025

Updated

12/1/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20251028000919-d3ed703dc833	8.0.0-20251028000919-d3ed703dc833
github.com/mattermost/mattermost-server	go	>= 10.12.0, < 10.12.2	10.12.2
github.com/mattermost/mattermost-server	go	>= 10.11.0, < 10.11.5	10.11.5
github.com/mattermost/mattermost-server	go	>= 10.5.0, < 10.5.13	10.5.13
github.com/mattermost/mattermost-server	go	>= 11.0.0, < 11.0.4	11.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches reveals a critical vulnerability in the OAuth state token validation process within Mattermost. The commits consistently show a change in the server/channels/app/oauth.go file, specifically within the App.AuthorizeOAuthUser function. The vulnerability stemmed from the way the expectedTokenExtra was generated and validated. The original implementation concatenated the user's email, a specified action, and a cookie value using a simple colon delimiter (email:action:cookie). This method was insecure because it did not account for the possibility of the email address itself containing a colon. An attacker could register a user with an email like attacker@example.com:some_action, thereby injecting a colon into the state token. When AuthorizeOAuthUser later constructed its expectedTokenExtra string for comparison, this injected colon would break the expected email:action:cookie format, allowing the attacker to manipulate the validation logic and potentially take over another user's account. The patch rectifies this by introducing a strict parsing function, parseOAuthStateTokenExtra, which splits the token string and ensures it contains exactly three parts before comparing each part individually. This prevents the token confusion and secures the OAuth flow. Therefore, the App.AuthorizeOAuthUser function is identified as the vulnerable function.

Vulnerable functions

App.AuthorizeOAuthUser

server/channels/app/oauth.go

The vulnerability lies in the `AuthorizeOAuthUser` function, which improperly validated the OAuth state token. The original code constructed an `expectedTokenExtra` string by concatenating an email, action, and cookie value using colons as separators. An attacker could provide a crafted email address containing a colon, which would cause the server to generate a malformed token string. This allowed for manipulation of the authentication data during the OAuth completion flow, as the simple string comparison against the `expectedToken.Extra` was not sufficient to prevent an attacker from controlling parts of the validated data. The patch replaces this weak validation with a new `parseOAuthStateTokenExtra` function that strictly splits the token into three parts and compares each component individually, thus preventing the injection of extra separators.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-12419: Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication

CVE-2025-12419:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

10

10

CVE-2025-12419: Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI