CVE-2025-54478: Mattermost Confluence Plugin is Missing Authentication for Critical Function
7.2
Basic Information
GoTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost-plugin-confluence | go | < 1.5.0 | 1.5.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability, identified as CVE-2025-54478, stems from a lack of authentication on several critical API endpoints in the Mattermost Confluence Plugin. The root cause was the absence of a unified authentication and authorization check for endpoints that manage channel subscriptions.
The investigation of the patch that fixed this issue, specifically commit de0a3d4c9eefa013e7d9f7a18d82eeced63322e6, reveals the solution. The developers introduced a new middleware function, checkAuth, in server/controller.go. This function inspects incoming HTTP requests for a Mattermost-User-Id header to verify the user's identity. Endpoints are now explicitly marked as requiring authentication via an IsAuthenticated: true flag in their definition.
The most critical vulnerable function, as stated in the advisory, is handleEditChannelSubscription, which allowed unauthenticated attackers to modify existing subscriptions. However, the analysis of the patch shows that other functions like handleSaveSubscription (creating subscriptions) and handleGetChannelSubscription/handleGetChannelSubscriptions (retrieving subscription info) were also unprotected and were secured in the same commit. An exploit would involve sending a direct API call to one of the affected endpoints, such as a PUT request to /api/v1/{channelID}/subscription/{type} to trigger handleEditChannelSubscription, without providing a valid Mattermost-User-Id header.