3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54499

GHSA ID

GHSA-xr3w-rmvj-f6m7

EPSS Score

0.06394%

CWE

CWE-208

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54499

CVE-2025-54499: Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54499

GHSA ID

GHSA-xr3w-rmvj-f6m7

EPSS Score

0.06394%

CWE

CWE-208

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250728063359-38208b8f065f	8.0.0-20250728063359-38208b8f065f
github.com/mattermost/mattermost-server	go	>= 10.5.0, < 10.5.11	10.5.11
github.com/mattermost/mattermost-server	go	>= 10.11.0, < 10.11.3	10.11.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches indicates that the vulnerability lies in the IsValidWebAuthRedirectURL function. This function was using a non-constant-time string comparison (strings.Index), which could be exploited in a timing attack. The patch replaces this with a safer comparison of URL components.

It is important to note that there is a discrepancy between the vulnerability description, which mentions 'Cloud API keys and OAuth client secrets,' and the actual code change in the provided commits, which is related to OAuth redirect URL validation and the siteURL. The identified vulnerable function does not directly handle API keys or client secrets. However, the core of the vulnerability - the lack of constant-time comparison - is present and was fixed in the analyzed commits. The confidence is rated as 'medium' due to this discrepancy.

Vulnerable functions

utils.IsValidWebAuthRedirectURL

server/channels/utils/utils.go

The function used `strings.Index` for comparing the redirect URL with the site URL. `strings.Index` does not run in constant time, making it vulnerable to timing attacks. An attacker could potentially leak the `siteURL` by carefully crafting redirect URLs and measuring the response time.

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.**, **.**.x <= **.**.* **il to us* *onst*nt-tim* *omp*rison *or s*nsitiv* strin* *omp*risons w*i** *llows *tt**k*rs to *xploit timin* or**l*s to p*r*orm *yt*-*y-*yt* *rut* *or** *tt**ks vi* r*spons* tim* *n*lysis on

Reasoning

T** *n*lysis o* t** provi*** p*t***s in*i**t*s t**t t** vuln*r**ility li*s in t** `IsV*li*W***ut*R**ir**tURL` *un*tion. T*is *un*tion w*s usin* * non-*onst*nt-tim* strin* *omp*rison (`strin*s.In**x`), w*i** *oul* ** *xploit** in * timin* *tt**k. T**

3.1

Basic Information

Concerned about an active attack path?

CVE-2025-54499: Mattermost has an Observable Timing Discrepancy vulnerability

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI