CVE-2025-12421
CRITICAL9.9EPSS 0.09%Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
Published: 11/27/2025Modified: 3/3/2026
Description
Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.
Affected packages (6)
- Go/github.com/mattermost/mattermost-server>= 11.0.0, < 11.0.3
- Go/github.com/mattermost/mattermost-serverfrom 0
- Go/github.com/mattermost/mattermost-server/v5from 0
- Go/github.com/mattermost/mattermost-server/v6from 0
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251022210333-acda1fb5dd46
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251022210333-acda1fb5dd46
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-mp6x-97xj-9x62
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-12421
- PATCHhttps://github.com/mattermost/mattermost
- WEBhttps://github.com/mattermost/mattermost/commit/5072bbf689a46b3b97b2373f26149f5891396e6b
- WEBhttps://github.com/mattermost/mattermost/commit/acda1fb5dd46a2f46c76ae67012423c760525eaa
- WEBhttps://github.com/mattermost/mattermost/commit/f361e7d75a7ab9df5a2106e1ceb919b94b55e41d
- WEBhttps://github.com/mattermost/mattermost/commit/feb598ed2b7ac3cb78a253b032ad7e4628b0de00
- WEBhttps://mattermost.com/security-updates