Mattermost 10.11.x<=10.11.6 & GitHub Plugin <=2.4.0: Improper Validation Enables Reaction Hijacking
CVE-2025-13352 Published on December 17, 2025
Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
Vulnerability Analysis
CVE-2025-13352 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Products Associated with CVE-2025-13352
stack.watch emails you whenever new vulnerabilities are published in MatterMost or Mattermost Server. Just hit a watch button to start following.
Affected Versions
Mattermost:- Version 10.11.0, <= 10.11.6 is affected.
- Version 11.1.0 is unaffected.
- Version 10.11.7 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.