CVE-2025-71388

stoatchat · stoatchat

The stoatchat application contains an authorization bypass vulnerability where users with read-only permissions can retrieve webhook tokens.

Executive summary

An authorization bypass in stoatchat versions prior to 20250210-1 allows unauthorized users to retrieve sensitive webhook tokens.

Vulnerability

This vulnerability is an authorization bypass (CWE-639) occurring because the webhook fetch endpoint checks for the wrong permission level. Authenticated users with only ViewChannel access can incorrectly fetch webhook tokens that should require ManageWebhooks permissions.

Business impact

Unauthorized access to webhook tokens allows an attacker to impersonate the application or intercept external service notifications. This compromise can lead to data leaks or the injection of malicious content into integrated third-party services. The CVSS score of 7.6 indicates a high risk to the confidentiality and integrity of the communication platform.

Remediation

Immediate Action: Update the stoatchat installation to version 20250210-1 or later to resolve the authorization logic flaw.

Proactive Monitoring: Review audit logs for unauthorized access attempts to webhook configuration endpoints or suspicious activity involving webhook tokens.

Compensating Controls: If an update is delayed, revoke sensitive webhooks or restrict access to the channel management interface to prevent unauthorized token retrieval.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations using stoatchat must upgrade to version 20250210-1 as soon as possible. This update correctly enforces the required ManageWebhooks permission, effectively closing the authorization bypass path and securing sensitive integration tokens.