CVE-2025-1412: Session Persistence After User-to-Bot Conversion

3.1 CVSS

Description

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

Classification

CVE ID: CVE-2025-1412

CVSS Base Severity: LOW

CVSS Base Score: 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-384: Session Fixation

Affected Products

Vendor: Mattermost

Product: Mattermost

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.8% (scored less or equal to compared to others)

EPSS Date: 2025-03-25 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1412
https://mattermost.com/security-updates

Timeline

2025-02-24 08:40:13 UTC
CVE

Session Persistence After User-to-Bot Conversion
2025-02-24 19:15:19 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost/server/v8] Mattermost fails to invalidate all active sessions when converting a user to a bot