CVE-2025-27936: Webhook Secret Exposure via Timing attack in MSteams plugin

5.3 CVSS

Description

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

Classification

CVE ID: CVE-2025-27936

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-208: Observable Timing Discrepancy

Affected Products

Vendor: Mattermost

Product: Mattermost

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.27% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27936
https://mattermost.com/security-updates

Timeline

2025-04-16 10:40:17 UTC
CVE

Webhook Secret Exposure via Timing attack in MSteams plugin
2025-04-16 15:15:27 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost-plugin-msteams] Mattermost vulnerable to Observable Timing Discrepancy
2025-04-16 15:15:27 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost/server/v8] Mattermost vulnerable to Observable Timing Discrepancy