3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-13352

CVE-2025-13352: Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-13352

CVE-2025-13352:

3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014	10.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermost	go	< 10.11.7-0.20251106103514-3b05384dd014	10.11.7-0.20251106103514-3b05384dd014
github.com/mattermost/mattermost	go	>= 11.0.0-alpha.1, < 11.1.0	11.1.0
github.com/mattermost/mattermost-plugin-github	go	< 1.0.1-0.20250829075715-0deffcfc6bee	1.0.1-0.20250829075715-0deffcfc6bee

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commits reveals the root cause of the vulnerability. The commit 0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c in the mattermost/mattermost-plugin-github repository contains the security fix. The change is located in the server/plugin/plugin.go file, specifically in the getPostPropsForReaction function. The patch introduces a check to validate that the post being reacted to was created by the bot (post.UserId != p.BotUserID). The absence of this check in vulnerable versions allowed the plugin to process reactions on any post, which could be exploited by an attacker to add GitHub reactions to arbitrary objects. The second commit, 3b05384dd0146c1be3caa620a42e00e46027055d, in the mattermost/mattermost repository, simply updates the version of the pre-packaged GitHub plugin to include this fix, confirming that the vulnerability resides within the plugin itself.

Vulnerable functions

plugin.getPostPropsForReaction

server/plugin/plugin.go

This function is responsible for processing reactions to posts. The vulnerability lies in the fact that it did not verify that the reaction was initiated by the plugin's bot user. An attacker could create a crafted post that, when reacted to, would trigger the plugin to add a reaction to an arbitrary GitHub object on behalf of the user who reacted. The patch mitigates this by ensuring that only reactions on posts made by the bot are processed.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-13352: Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

CVE-2025-13352:

3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3

3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-13352: Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI