CVE-2025-71388
stoatchat · stoatchat
The stoatchat application contains an authorization bypass vulnerability where users with read-only permissions can retrieve webhook tokens.
Executive summary
An authorization bypass in stoatchat versions prior to 20250210-1 allows unauthorized users to retrieve sensitive webhook tokens.
Vulnerability
This vulnerability is an authorization bypass (CWE-639) occurring because the webhook fetch endpoint checks for the wrong permission level. Authenticated users with only ViewChannel access can incorrectly fetch webhook tokens that should require ManageWebhooks permissions.
Business impact
Unauthorized access to webhook tokens allows an attacker to impersonate the application or intercept external service notifications. This compromise can lead to data leaks or the injection of malicious content into integrated third-party services. The CVSS score of 7.6 indicates a high risk to the confidentiality and integrity of the communication platform.
Remediation
Immediate Action: Update the stoatchat installation to version 20250210-1 or later to resolve the authorization logic flaw.
Proactive Monitoring: Review audit logs for unauthorized access attempts to webhook configuration endpoints or suspicious activity involving webhook tokens.
Compensating Controls: If an update is delayed, revoke sensitive webhooks or restrict access to the channel management interface to prevent unauthorized token retrieval.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations using stoatchat must upgrade to version 20250210-1 as soon as possible. This update correctly enforces the required ManageWebhooks permission, effectively closing the authorization bypass path and securing sensitive integration tokens.