5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27936

GHSA ID

GHSA-2j87-p623-8cc2

EPSS Score

0.13953%

CWE

CWE-208

Published

4/16/2025

Updated

4/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27936

CVE-2025-27936: Mattermost vulnerable to Observable Timing Discrepancy

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27936

GHSA ID

GHSA-2j87-p623-8cc2

EPSS Score

0.13953%

CWE

CWE-208

Published

4/16/2025

Updated

4/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 10.5.0, < 10.5.2	10.5.2
github.com/mattermost/mattermost-plugin-msteams	go	<= 1.15.0	2.1.0
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250314142426-c049748b8863	8.0.0-20250314142426-c049748b8863

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly states a timing discrepancy in the MSTeams plugin webhook secret comparison. I started by examining the patched versions. The commit for v2.1.0 of mattermost-plugin-msteams was only a dependency update, indicating the fix was earlier. The server-side patches seemed unrelated to this specific vulnerability. By comparing versions v1.15.0 and v2.1.0 of the plugin, I identified commit cb17aca914577bff27d93f0f53cd6d2890530eab as a large refactoring. Analyzing this commit's changes to server/api.go revealed the direct fix: the processActivity function was modified to use subtle.ConstantTimeCompare for webhook secret validation, replacing the vulnerable direct string comparison. This directly addresses the described timing attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost Plu*in MST**ms v*rsions <*.*.* *n* M*tt*rmost S*rv*r v*rsions **.*.x <=**.*.* wit* t** MS T**ms plu*in *n**l** **il to p*r*orm *onst*nt tim* *omp*rison on * MST**ms plu*in w***ook s**r*t w*i** *llows *n *tt**k*r to r*tri*v* t** w***ook s**

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s * timin* *is*r*p*n*y in t** MST**ms plu*in w***ook s**r*t *omp*rison. I st*rt** *y *x*minin* t** p*t**** v*rsions. T** *ommit *or `v*.*.*` o* `m*tt*rmost-plu*in-mst**ms` w*s only * **p*n**n*y up**t*, in*i*

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-27936: Mattermost vulnerable to Observable Timing Discrepancy

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI