Miggo Logo
Miggo Vulnerability Database
CVE-2025-6227

CVE-2025-6227: Mattermost has Insufficiently Protected Credentials

2.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-6227
GHSA ID
GHSA-4fwj-8595-wp25
EPSS Score
0.04864%
CWE
CWE-522
Published
7/18/2025
Updated
7/21/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost-servergo>= 10.5.0, < 10.5.810.5.8
github.com/mattermost/mattermost-servergo>= 9.11.0, < 9.11.179.11.17
github.com/mattermost/mattermost/server/v8go< 8.0.0-20250612074655-8f8612c637838.0.0-20250612074655-8f8612c63783

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the remote cluster invitation process where the same token from the invitation was reused for the established connection. This allowed an attacker who intercepted the invitation details to potentially send unauthorized payloads. The core of the vulnerability is in the remotecluster.Service.AcceptInvitation function, which failed to generate a new, unique token upon accepting an invitation. The provided patch addresses this by introducing a versioning system for invitations. For new version 2 invitations, AcceptInvitation now generates a fresh token. The app.App.CreateRemoteClusterInvite function was updated to create these new version 2 invites, and remotecluster.Service.ReceiveInviteConfirmation was updated to handle the new refreshed token sent back in the confirmation, thus completing the secure token negotiation flow. An engineer seeing this CVE would need to ensure their Mattermost instance is patched to a version where this new token negotiation logic is present to prevent potential abuse of the remote cluster feature.

Vulnerable functions

remotecluster.Service.AcceptInvitation
server/platform/services/remotecluster/invitation.go
The function `AcceptInvitation` was vulnerable because it directly used the token from the invitation (`invite.Token`) as the `RemoteToken` for the new cluster relationship. This meant that if an attacker intercepted the invitation, they could use that same token to impersonate the accepting cluster. The patch introduces a version check; for newer invitations (version 2 or higher), it generates a new random token (`model.NewId()`) instead of reusing the one from the invitation, thus fixing the vulnerability.
app.App.CreateRemoteClusterInvite
server/channels/app/remote_cluster.go
This function is responsible for creating the remote cluster invitation. It was part of the vulnerable process because it generated invitations without a version number, leading to the legacy behavior in `AcceptInvitation`. The patch modifies it to add `Version: 2` to all new invitations, signaling that the new token negotiation mechanism should be used.
remotecluster.Service.ReceiveInviteConfirmation
server/platform/services/remotecluster/recv.go
This function on the originating server processes the confirmation of the invitation. It was part of the vulnerable workflow as it did not handle a refreshed token. The patch adds logic to check for a `RefreshedToken` in version 2+ confirmations and updates the local token for the remote cluster accordingly, completing the secure token exchange.

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, *.**.x <= *.**.** **il to n**oti*t* * n*w tok*n w**n ****ptin* t** invit* w*i** *llows * us*r t**t int*r**pts *ot* invit* *n* p*sswor* to s*n* syn**roniz*tion p*ylo**s to t** s*rv*r t**t ori*in*lly *r**t** t** in

Reasoning

T** vuln*r**ility li*s in t** r*mot* *lust*r invit*tion pro**ss w**r* t** s*m* tok*n *rom t** invit*tion w*s r*us** *or t** *st**lis*** *onn**tion. T*is *llow** *n *tt**k*r w*o int*r**pt** t** invit*tion **t*ils to pot*nti*lly s*n* un*ut*oriz** p*ylo