CVE-2025-13352

Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

INFO

Published Date :

2025-12-17T12:11:25.563Z

Last Modified :

2025-12-17T16:48:08.118Z

Source :

Mattermost

AFFECTED PRODUCTS

The following products are affected by CVE-2025-13352 vulnerability.

Vendors	Products
Mattermost	Mattermost

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-13352.

URL	Resource
https://mattermost.com/security-updates

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact