{"id":"GHSA-2j87-p623-8cc2","summary":"Mattermost vulnerable to Observable Timing Discrepancy","details":"Mattermost Plugin MSTeams versions \u003c2.1.0 and Mattermost Server versions 10.5.x \u003c=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.","aliases":["CVE-2025-27936","GO-2025-3618"],"modified":"2026-02-04T03:49:03.258589Z","published":"2025-04-16T12:31:19Z","related":["CGA-wv5w-mg9x-7cr4"],"database_specific":{"severity":"MODERATE","cwe_ids":["CWE-208"],"github_reviewed":true,"nvd_published_at":"2025-04-16T10:15:14Z","github_reviewed_at":"2025-04-16T14:58:55Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27936"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-3618"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"10.5.0"},{"fixed":"10.5.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-2j87-p623-8cc2/GHSA-2j87-p623-8cc2.json"}},{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.0.0-20250314142426-c049748b8863"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-2j87-p623-8cc2/GHSA-2j87-p623-8cc2.json"}},{"package":{"name":"github.com/mattermost/mattermost-plugin-msteams","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-plugin-msteams"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.1.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-2j87-p623-8cc2/GHSA-2j87-p623-8cc2.json","last_known_affected_version_range":"\u003c= 1.15.0"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}