Home > Vulnerability Database > CVE-2025-13352

Mend.io Vulnerability Database

CVE-2025-13352

Good to know:

Date: December 17, 2025

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

Severity Score

3.0

Related Resources (7)

Url: https://github.com/advisories/GHSA-jf5h-xfw4-p8gp

Url: https://github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c

Url: https://github.com/mattermost/mattermost

Url: https://github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055d

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-13352

Url: https://mattermost.com/security-updates

Url: https://www.mend.io/vulnerability-database/CVE-2025-13352

Severity Score

3.0

Weakness Type (CWE)

Improper Validation of Specified Type of Input

CWE-1287

Top Fix

Upgrade Version

Upgrade to version github.com/mattermost/mattermost - v10.11.7;github.com/mattermost/mattermost - v11.1.0;github.com/mattermost/mattermost - v11.1.0+incompatible;github.com/mattermost/mattermost-plugin-github - v1.0.1-0.20250829075715-0deffcfc6bee;github.com/mattermost/mattermost-plugin-github - v1.0.1-0.20250829075715-0deffcfc6bee;https://github.com/mattermost/mattermost-plugin-github.git - v2.5.0

Learn More

CVSS v3.1

Base Score:	3.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-13352

Good to know:

Date: December 17, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?