CVE-2025-27936: 
Chainguard vulnerability analysis and mitigation

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled contain a timing attack vulnerability in webhook secret comparison. The vulnerability was disclosed on April 16, 2025 and assigned identifier CVE-2025-27936 (NVD).

The vulnerability stems from a failure to perform constant time comparison on a MSTeams plugin webhook secret. This implementation flaw allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with high attack complexity and potential for high confidentiality impact (NVD).

If successfully exploited, an attacker could retrieve the webhook secret of the MSTeams plugin. This could potentially lead to unauthorized access to webhook functionality and compromise the security of communications between Mattermost and Microsoft Teams integrations (NVD).

Users should upgrade to Mattermost Plugin MSTeams version 2.1.0 or later, and ensure Mattermost Server is updated beyond version 10.5.1 if using the MS Teams plugin (NVD, Mattermost Security).