Listen to this Post
How the mentioned CVE works:
The vulnerability CVE-2025-22100 resides in the SAML SSO authentication flow of affected Mattermost versions. The flaw occurs because the server does not re-validate team join permissions after initial SAML authentication. An attacker can intercept the SAML login process and manipulate the RelayState parameter, which typically specifies the target team. By changing this parameter to a different team’s invite ID, the attacker bypasses subsequent authorization checks. The system incorrectly assumes the user is authorized for the team specified in the manipulated RelayState, relying solely on the validated SAML assertion. This allows unauthorized team membership addition, completely circumventing invite link restrictions and team privacy settings, leading to a critical privilege escalation.
Platform: Mattermost
Version: <=10.11.1, 10.10.2, 10.5.10
Vulnerability : Access Control Bypass
Severity: Critical
date: 2025-01-15
Prediction: Patch by 2025-01-29
What Undercode Say:
curl -X POST 'http://<target>/api/v4/teams/<team_id>/invite/email' -H 'Authorization: Bearer <token>' -d '["[email protected]"]'
nmap -p 8065 --script http-vuln-cve2025-22100 <target>
import requests
relay_state = "malicious_team_id"
saml_response = "base64_encoded_saml_assertion"
req = requests.post('https://mattermost/saml/login', data={'SAMLResponse': saml_response, 'RelayState': relay_state})
How Exploit:
1. Attacker obtains a valid SAML response.
2. Attacker modifies RelayState parameter.
3. Sends crafted request to /saml/login endpoint.
4. Gains unauthorized team access.
Protection from this CVE:
Upgrade to Mattermost versions 10.11.2, 10.10.3, or 10.5.11.
Disable SAML SSO temporarily.
Implement WAF rules blocking suspicious RelayState values.
Impact:
Unauthorized team access.
Data exfiltration from private teams.
Privilege escalation.
Privacy violation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
