Headline
GHSA-jf5h-xfw4-p8gp: Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-13352
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection
Low severity GitHub Reviewed Published Dec 17, 2025 to the GitHub Advisory Database • Updated Dec 17, 2025
Package
gomod github.com/mattermost/mattermost (Go)
Affected versions
< 10.11.7-0.20251106103514-3b05384dd014
>= 11.0.0-alpha.1, < 11.1.0
Patched versions
10.11.7-0.20251106103514-3b05384dd014
11.1.0
gomod github.com/mattermost/mattermost-plugin-github (Go)
< 1.0.1-0.20250829075715-0deffcfc6bee
1.0.1-0.20250829075715-0deffcfc6bee
gomod github.com/mattermost/mattermost/server/v8 (Go)
>= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014
10.11.7-0.20251106103514-3b05384dd014
Description
Published to the GitHub Advisory Database
Dec 17, 2025
Last updated
Dec 17, 2025
EPSS score