Status: Patched
This vulnerability has been verified as resolved and deployed.
User-Agent version parser panic during session creation (CVE-2026-25783)
Summary
Malformed Mattermost-specific User-Agent prefixes could panic getBrowserVersion
DoLogin parses the HTTP User-Agent header while creating a session and stores platform, OS, browser name, and browser version on the session. The version helper looked for Mattermost-specific prefixes such as Mattermost Mobile/, Mattermost/, mmctl/, and Franz/, then immediately returned strings.Fields(afterVersion)[0]. If the header ended at the prefix or contained only whitespace after it, strings.Fields returned an empty slice and the [0] index panicked.
This is not reached before authentication in the normal password login flow: login calls AuthenticateUserForLogin first, then DoLogin. A malicious client needs a way to complete session creation, such as a valid account or an enabled registration/login flow. The fix centralizes prefixes in versionPrefixes, checks len(fields) > 0 before indexing, and falls back to the parsed user-agent version. The original fix is PR #35098 / commit 1346cf529aef0672c39a56ec10d1b8a9c8fb387d; backports include #35124, #35131, #35132, and #35133.
CVSS Score
Vulnerability Location
Source-to-Sink Analysis
After authentication succeeds, the login handler calls DoLogin with the original HTTP request, including the attacker-controlled User-Agent header.
DoLogin parses r.UserAgent() and asks getBrowserVersion for the version string that will be stored in the session props.
Before the patch, each special-case prefix indexed strings.Fields(afterVersion)[0] without confirming any field existed.
The patched version loops over known prefixes and only indexes the first field when len(fields) > 0; otherwise it falls back to getUAVersion.
Impact Analysis
Critical Impact
Repeated successful login attempts with malformed User-Agent headers can generate panics and degrade availability of login/session creation. The blast radius is bounded by the requirement to reach DoLogin, but the missing bounds check is a server-side panic on attacker-controlled input.
Attack Surface
Session creation paths that call DoLogin, including the password login endpoint after successful authentication and other login flows that create a session.
Preconditions
The attacker must be able to complete login/session creation, for example with their own valid account. They control the User-Agent header.
Proof of Concept
Environment Setup
Use a vulnerable build before PR #35098 and an account that can log in successfully.
Target Configuration
No special server configuration is required beyond a reachable login flow.
Exploit Delivery
Send a valid login request with User-Agent: Mattermost Mobile/ or User-Agent: mmctl/ and correct credentials.
Outcome
Malformed User-Agent prefixes no longer crash session creation.
Expected Response:
Vulnerable builds panic with an index-out-of-range error in getBrowserVersion. Fixed builds complete the request and use the fallback parsed browser version when no prefix token exists.
Run this level of analysis on your repo.
Winfunc traces source-to-sink paths, validates exploitability, and gives your team patch-ready remediation.
