CVE-2025-3913: Mattermost improperly allows team administrators to modify team invites
5.3
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | >= 10.7.0-rc1, < 10.7.1 | 10.7.1 |
| github.com/mattermost/mattermost/server/v8 | go | >= 10.6.0-rc1, < 10.6.3 | 10.6.3 |
| github.com/mattermost/mattermost/server/v8 | go | >= 10.5.0-rc1, < 10.5.4 | 10.5.4 |
| github.com/mattermost/mattermost/server/v8 | go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20250412152950-02c76784380a | 8.0.0-20250412152950-02c76784380a |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2025-3913) description states that Mattermost failed to properly validate permissions when changing team privacy settings, specifically allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. The provided commit 02c76784380acb6802601bd24c205553b9a5a1be directly addresses this issue. The diff for server/channels/api4/team.go shows that a permission check for model.PermissionInviteUser was added to the updateTeamPrivacy function. This function is the handler for the aforementioned API endpoint. The absence of this check before the patch is the root cause of the vulnerability, making updateTeamPrivacy the vulnerable function. The exploit would involve a team administrator, who lacks the 'invite_user' permission, making a request to this endpoint to change team privacy in a way that regenerates the invite ID, thereby bypassing the intended permission model.