CVE-2025-12421
Published: 27 November 2025
Summary
CVE-2025-12421 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the software flaw in token verification during SSO code exchange, preventing account takeover exploitation.
Enforces secure configuration settings to disable ExperimentalEnableAuthenticationTransfer or enable RequireEmailVerification, blocking the vulnerable authentication path.
Mandates proper management and verification of authentication tokens, ensuring tokens are checked for origin in the authentication flow to prevent hijacking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privileged users to exploit an authentication flaw in Mattermost's SSO code exchange for account takeover, directly facilitating exploitation for privilege escalation (T1068) and exploitation of a remote service (T1210).
NVD Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account…
more
takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Deeper analysisAI
CVE-2025-12421 is a critical authentication vulnerability in Mattermost, affecting versions 11.0.x up to and including 11.0.2, 10.12.x up to 10.12.1, 10.11.x up to 10.11.4, and 10.5.x up to 10.5.12. The issue arises from a failure to verify that the token used during the code exchange originates from the same authentication flow. This is classified under CWE-303 (Incorrect Check of Function Return Value) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Exploitation requires the ExperimentalEnableAuthenticationTransfer feature to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. The attacker crafts a specially formatted email address while switching authentication methods, then sends a request to the /users/login/sso/code-exchange endpoint. This allows takeover of another user's account by hijacking the authentication flow, potentially granting full access to the victim's data and privileges due to the changed scope and high impacts on confidentiality, integrity, and availability.
Mattermost has published details on mitigations in their security updates, available at https://mattermost.com/security-updates. Security practitioners should review this advisory for patch information and configuration guidance to address the vulnerability.
Details
- CWE(s)