-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | >= 10.7.0-rc1, < 10.7.1 | 10.7.1 |
| github.com/mattermost/mattermost/server/v8 | go | >= 10.6.0-rc1, < 10.6.3 | 10.6.3 |
| github.com/mattermost/mattermost/server/v8 | go | >= 10.5.0-rc1, < 10.5.4 | 10.5.4 |
| github.com/mattermost/mattermost/server/v8 | go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20250412152950-02c76784380a | 8.0.0-20250412152950-02c76784380a |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2025-3913) description states that Mattermost failed to properly validate permissions when changing team privacy settings, specifically allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. The provided commit 02c76784380acb6802601bd24c205553b9a5a1be directly addresses this issue. The diff for server/channels/api4/team.go shows that a permission check for model.PermissionInviteUser was added to the updateTeamPrivacy function. This function is the handler for the aforementioned API endpoint. The absence of this check before the patch is the root cause of the vulnerability, making updateTeamPrivacy the vulnerable function. The exploit would involve a team administrator, who lacks the 'invite_user' permission, making a request to this endpoint to change team privacy in a way that regenerates the invite ID, thereby bypassing the intended permission model.
Ongoing coverage of React2Shell