First published: Fri Mar 21 2025(Updated: )
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
Credit: responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost | <=10.4.2<=10.3.3<=9.11.8<=10.5.0 | |
go/github.com/mattermost/mattermost/server/v8 | =10.5.0 | 10.5.1 |
go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.9 | 9.11.9 |
go/github.com/mattermost/mattermost/server/v8 | >=10.3.0<10.3.4 | 10.3.4 |
go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.3 | 10.4.3 |
Mattermost | >=9.11.0<9.11.9 | |
Mattermost | >=10.3.0<10.3.4 | |
Mattermost | >=10.4.0<10.4.3 | |
Mattermost | >=10.5.0<10.5.1 | |
>=9.11.0<9.11.9 | ||
>=10.3.0<10.3.4 | ||
>=10.4.0<10.4.3 | ||
>=10.5.0<10.5.1 |
Update Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-25068 has a critical severity level due to the potential for attackers to bypass MFA protections.
To fix CVE-2025-25068, upgrade Mattermost to the latest version that enforces MFA on plugin endpoints.
CVE-2025-25068 affects Mattermost versions 10.4.x up to 10.4.2, 10.3.x up to 10.3.3, 9.11.x up to 9.11.8, and 10.5.x up to 10.5.0.
Authenticated attackers can exploit CVE-2025-25068 to bypass multi-factor authentication protections via API requests.
Yes, CVE-2025-25068 allows attackers to bypass multi-factor authentication settings on plugin endpoints.