CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-2571: Google OAuth Authentication Bypass for Converted Bot Accounts

4.2 CVSS

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Classification

CVE ID: CVE-2025-2571

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.2

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-303: Incorrect Implementation of Authentication Algorithm

Affected Products

Vendor: Mattermost

Product: Mattermost

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.01% (scored less or equal to compared to others)

EPSS Date: 2025-06-16 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2571
https://mattermost.com/security-updates

Timeline

2025-05-30 15:40:18 UTC
CVE

Google OAuth Authentication Bypass for Converted Bot Accounts