NIXPKGS-2026-0264

GitHub issue published on

Permalink CVE-2025-13821

5.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 month, 4 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 4 weeks ago
@LeSuisse ignored
4 packages
- mattermost-desktop
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
1 month, 4 weeks ago
@LeSuisse deleted
5 maintainers
- @fsagbuya
- @Kranzes
- @numinit
- @mgdelacroix
- @ryantm
1 month, 4 weeks ago maintainer.delete
@LeSuisse accepted 1 month, 4 weeks ago
@LeSuisse published on GitHub 1 month, 4 weeks ago

User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

References

MMSA-2025-00560 vendor-advisory
MMSA-2025-00560 vendor-advisory

Affected products

Mattermost

==11.2.2
=<11.1.2
=<11.2.1
==11.1.3
==10.11.10
==11.3.0
=<10.11.9

Matching in nixpkgs

pkgs.mattermost

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

nixos-unstable 10.11.10
- nixpkgs-unstable 10.11.10
- nixos-unstable-small 10.11.10
nixos-25.11 10.11.10
- nixos-25.11-small 10.11.10
- nixpkgs-25.11-darwin 10.11.10

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

nixos-unstable 11.4.0
- nixpkgs-unstable 11.4.0
- nixos-unstable-small 11.4.0
nixos-25.11 11.3.0
- nixos-25.11-small 11.3.0
- nixpkgs-25.11-darwin 11.3.0

Ignored packages (4)

pkgs.mattermost-desktop

Mattermost Desktop client

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

pkgs.python312Packages.mattermostdriver

Python Mattermost Driver

nixos-25.11 7.3.2
- nixos-25.11-small 7.3.2
- nixpkgs-25.11-darwin 7.3.2

pkgs.python313Packages.mattermostdriver

Python Mattermost Driver

nixos-unstable 7.3.2
- nixpkgs-unstable 7.3.2
- nixos-unstable-small 7.3.2
nixos-25.11 7.3.2
- nixos-25.11-small 7.3.2
- nixpkgs-25.11-darwin 7.3.2

pkgs.python314Packages.mattermostdriver

Python Mattermost Driver

nixos-unstable 7.3.2
- nixpkgs-unstable 7.3.2
- nixos-unstable-small 7.3.2

Package maintainers

Ignored maintainers (5)

@fsagbuya Florian Agbuya <fa@m-labs.ph>
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
@ryantm Ryan Mulligan <ryan@ryantm.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>

Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0264

References

Affected products

Matching in nixpkgs

pkgs.mattermost

pkgs.mattermostLatest

pkgs.mattermost-desktop

pkgs.python312Packages.mattermostdriver

pkgs.python313Packages.mattermostdriver

pkgs.python314Packages.mattermostdriver

Package maintainers