CVE-2025-31363 - Vulnerability Details - OpenCVE

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server:10.5.0:-::::::

No data.

No data.

Fixes

Solution

Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 29 Sep 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Server
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:mattermost:mattermost_server:::::::: cpe:2.3:a:mattermost:mattermost_server:10.5.0:-::::::
Vendors & Products		Mattermost Mattermost mattermost Server

Wed, 16 Apr 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
Title		Data exfiltration via AI plugin Jira tool
Weaknesses		CWE-1426
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2025-04-16T09:14:15.992Z

Updated: 2025-04-16T14:33:01.674Z

Reserved: 2025-04-08T07:50:19.617Z

Link: CVE-2025-31363

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-04-16T10:15:15.170

Modified: 2025-09-29T21:24:36.903

Link: CVE-2025-31363

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31363", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-04-08T07:50:19.617Z", "datePublished": "2025-04-16T09:14:15.992Z", "dateUpdated": "2025-04-16T14:33:01.674Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "10.4.2", "status": "affected", "version": "10.4.0", "versionType": "semver"}, {"status": "affected", "version": "10.5.0"}, {"lessThanOrEqual": "9.11.9", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.6.0"}, {"status": "unaffected", "version": "10.4.3"}, {"status": "unaffected", "version": "10.5.1"}, {"status": "unaffected", "version": "9.11.10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Juho Fors\u00e9n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to <span style=\"background-color: rgb(255, 255, 255);\">exfiltrate data from an arbitrary server accessible to the victim via</span> performing a prompt injection in the AI plugin's Jira tool.</p>"}], "value": "Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream\u00a0which allows an authenticated user to\u00a0exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection\u00a0in the AI plugin's Jira tool."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1426", "description": "CWE-1426: Improper Validation of Generative AI Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-04-16T09:14:15.992Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher.</p>"}], "value": "Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher."}], "source": {"advisory": "MMSA-2024-00401", "defect": ["https://mattermost.atlassian.net/browse/MM-61473"], "discovery": "INTERNAL"}, "title": "Data exfiltration via AI plugin Jira tool", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T14:19:20.968987Z", "id": "CVE-2025-31363", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T14:33:01.674Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "73837B0A-0874-4B7D-8B09-D3CB7E249EA0", "versionEndExcluding": "9.11.10", "versionStartIncluding": "9.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2ACE54D-3EC6-4AC9-B243-35E8FFBE0EA0", "versionEndExcluding": "10.4.3", "versionStartIncluding": "10.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "FCB473B7-939A-437C-9488-980523F2B043", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream\u00a0which allows an authenticated user to\u00a0exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection\u00a0in the AI plugin's Jira tool."}, {"lang": "es", "value": "Las versiones de Mattermost 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 no restringen los dominios que LLM puede solicitar para contactar ascendentemente, lo que permite que un usuario autenticado extraiga datos de un servidor arbitrario accesible para la v\u00edctima mediante la realizaci\u00f3n de una inyecci\u00f3n r\u00e1pida en la herramienta Jira del complemento de IA."}], "id": "CVE-2025-31363", "lastModified": "2025-09-29T21:24:36.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T10:15:15.170", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}