Authentication Bypass Vulnerability in Mattermost by Mattermost, Inc.
CVE-2025-25068

8.8HIGH

Key Information:

Vendor
Mattermost
Vendor
CVE Published:
21 March 2025

Summary

Mattermost versions faced a significant vulnerability where multi-factor authentication (MFA) was not enforced on certain plugin endpoints. This oversight allows authenticated attackers to bypass MFA protections by exploiting API requests made to plugin-specific routes. Organizations using these affected versions are urged to assess their security posture and apply necessary patches or upgrades to mitigate potential risks.

Affected Version(s)

Mattermost 10.4.0 <= 10.4.2

Mattermost 10.3.0 <= 10.3.3

Mattermost 9.11.0 <= 9.11.8

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

0x7oda7123
.