CVE-2025-12421

CRITICAL LAB

Mattermost <11.0.2, 10.12.1, 10.11.4, 10.5.12 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12421. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-12421, demonstrating a token type confusion vulnerability in Mattermost Server that allows account takeover via crafted tokens. The PoC includes detailed technical analysis, lab setup, and two Python scripts that exploit the vulnerability.

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-12421

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-12421, demonstrating a token type confusion vulnerability in Mattermost Server that allows account takeover via crafted tokens. The PoC includes detailed technical analysis, lab setup, and two Python scripts that exploit the vulnerability.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Mattermost Server (11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12)

No auth needed

Prerequisites: knowledge of victim's user_id · access to Mattermost API and PostgreSQL database

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.0009

EPSS Percentile 25.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-12421-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-303

Status published

Products (3)

mattermost/mattermost 0 - 8.0.0-20251022210333-acda1fb5dd46Go

mattermost/mattermost-server 11.0.0 - 11.0.3Go

mattermost/mattermost_server 10.5.0 - 10.5.13

Published Nov 27, 2025

Tracked Since Feb 18, 2026