CVE-2025-71388
HIGH
7.6
CVSS 4.0
Description
stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).
Metadata
Severity & Metrics
7.6
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| stoatchat | stoatchat | — | 20241213-1 < 20250210-1, 20250210-1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-639 | cna | Authorization Bypass Through User-Controlled Key |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.6 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
References (3)
- GitHub Security Advisory (GHSA-8684-rvfj-v3jq) https://github.com/stoatchat/stoatchat/security/advisories/GHSA-8684-rvfj-v3jq
- https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829 https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829
- VulnCheck Advisory: stoatchat 20241213-1 Webhook Token Disclosure via Read Permissions https://www.vulncheck.com/advisories/stoatchat-20241213-1-webhook-token-disclosure-via-read-permissions