CVE-2025-2475: Unauthorized Bot Login Using Credentials
First published: Mon Apr 14 2025(Updated: )
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=10.5.1<=10.4.3<=9.11.9 | |
| go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.4 | 10.4.4 |
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20250220161544-fd356b62b4dd | 8.0.0-20250220161544-fd356b62b4dd |
| go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.10 | 9.11.10 |
| go/github.com/mattermost/mattermost/server/v8 | >=10.5.0<10.5.2 | 10.5.2 |
Remedy
Update Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattermost.com/security-updates
- https://nvd.nist.gov/vuln/detail/CVE-2025-2475
- https://github.com/mattermost/mattermost/commit/fd356b62b4dd3318d2c8019d2310abdd6ce24c8c
- https://github.com/mattermost/mattermost/commit/124547a9ef424431e1e6cf09bdba6c1099d415de
- https://github.com/mattermost/mattermost/commit/40fd60714bd055e00c16301ba6dc0fddfc44e15e
- https://github.com/mattermost/mattermost/commit/88523ceed8a7547c4a4203a30e7c3a8097346280
- https://github.com/mattermost/mattermost/commit/bcd7a4c2bd856dbb40fcda227b363fa5f6f548a7
- https://pkg.go.dev/vuln/GO-2025-3610
- https://github.com/advisories/GHSA-6rqh-8465-2xcw (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-2475?
CVE-2025-2475 is classified as a high severity vulnerability due to its potential to allow unauthorized access to user accounts.
How do I fix CVE-2025-2475?
To fix CVE-2025-2475, upgrade Mattermost to versions 10.5.2 or later, 10.4.4 or later, or 9.11.10 or later.
What versions of Mattermost are affected by CVE-2025-2475?
CVE-2025-2475 affects Mattermost versions 10.5.x up to 10.5.1, 10.4.x up to 10.4.3, and 9.11.x up to 9.11.9.
What type of attack can CVE-2025-2475 facilitate?
CVE-2025-2475 can facilitate an attack where an unauthorized individual can log in to a bot account using normal user credentials.
Is there any workaround for CVE-2025-2475?
There are no recommended workarounds for CVE-2025-2475, and an upgrade is necessary to mitigate the vulnerability.
- agent/remedy
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/source
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- agent/softwarecombine
- agent/last-modified-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6rqh-8465-2xcw
- alias/CVE-2025-2475
- agent/tags
- agent/event
- vendor/mattermost
- canonical/mattermost
- package-manager/go