Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71388

CVE-2025-71388: Stoatchat Auth Bypass Vulnerability

CVE-2025-71388 is an authentication bypass flaw in stoatchat that allows users with read-only permissions to access webhook tokens and send unauthorized messages. This article covers technical details, affected versions, and fixes.

Published:

CVE-2025-71388 Overview

CVE-2025-71388 is a broken access control vulnerability in stoatchat (a fork of delta/Revolt) affecting versions from 20241213-1 before 20250210-1. The webhook fetch endpoint enforces the wrong permission, checking ViewChannel (read access) instead of ManageWebhooks. A user with only read permission on a channel can retrieve every webhook configured on that channel, including their secret tokens. With a stolen token, an attacker can post arbitrary messages to the channel while impersonating a webhook or bot, bypassing channel send permissions. The issue is tracked under [CWE-639: Authorization Bypass Through User-Controlled Key] and is fixed in 20250210-1 (0.8.2).

Critical Impact

Any channel member with read-only access can exfiltrate webhook tokens and use them to inject messages while impersonating trusted bots.

Affected Products

  • stoatchat (delta/Revolt) 20241213-1 and later, prior to 20250210-1
  • stoatchat versions before 0.8.2
  • Deployments exposing the webhook_fetch_all route on the delta backend

Discovery Timeline

  • 2026-07-16 - CVE-2025-71388 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2025-71388

Vulnerability Analysis

The vulnerability lives in the delta backend route that lists webhooks for a channel. The handler calculates the caller's channel permissions and then gates access using ChannelPermission::ViewChannel. That permission is granted to any user who can see the channel, so it does not restrict administrative operations. Because the returned payload includes each webhook's token, the endpoint effectively hands out message-injection credentials to every reader.

Once a webhook token is obtained, the attacker calls the public webhook execute endpoint to post messages. These messages appear to originate from the webhook and inherit its display name and avatar. Send-message permissions on the channel are bypassed because webhook execution is authorized by the token, not by the caller's channel role.

Root Cause

The root cause is an incorrect authorization decision in crates/delta/src/routes/channels/webhook_fetch_all.rs. The permission model defines ManageWebhooks for administrative webhook operations, but the fetch handler was wired to the read-level ViewChannel check. The patch swaps the check to ManageWebhooks, aligning the endpoint with the intended permission boundary.

Attack Vector

An authenticated user with ViewChannel on any channel sends a GET request to the channel's webhook list endpoint. The server returns webhook objects including the token field. The attacker then issues POST requests to the webhook execute URL using the leaked token to publish arbitrary content.

rust
     let mut query = DatabasePermissionQuery::new(db, &user).channel(&channel);
     calculate_channel_permissions(&mut query)
         .await
-        .throw_if_lacking_channel_permission(ChannelPermission::ViewChannel)?;
+        .throw_if_lacking_channel_permission(ChannelPermission::ManageWebhooks)?;
 
     Ok(Json(
         db.fetch_webhooks_for_channel(channel.id())
// Source: https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829

Detection Methods for CVE-2025-71388

Indicators of Compromise

  • Unexpected GET requests to /channels/{id}/webhooks originating from accounts that do not hold ManageWebhooks.
  • Webhook execute POST requests from IPs or user agents that differ from the webhook's normal integration.
  • Messages sent through webhooks that impersonate bots outside of expected automation windows.

Detection Strategies

  • Correlate stoatchat access logs for the webhook_fetch_all route with the caller's effective channel permissions to surface reads by non-admins.
  • Alert on any HTTP 200 response to a webhook list request where the responder is not a channel administrator.
  • Baseline webhook execute traffic per token and flag executions from previously unseen source IPs or geographies.

Monitoring Recommendations

  • Enable verbose request logging on the delta service and ship logs to a central analytics backend for permission-anomaly review.
  • Track the creation and use of webhook tokens, treating any read of the token field by a non-privileged account as a security event.
  • Review audit logs for message posts attributed to webhooks that arrive outside the source system's expected schedule.

How to Mitigate CVE-2025-71388

Immediate Actions Required

  • Upgrade stoatchat to 20250210-1 (version 0.8.2) or later on every delta backend instance.
  • Rotate all webhook tokens on channels that were reachable by non-admin users during the vulnerable window.
  • Review recent channel messages posted via webhooks for signs of impersonation or unauthorized content.

Patch Information

The fix is committed in stoatchat commit e3723d6 and released in 20250210-1 (0.8.2). Full details are published in the GitHub Security Advisory GHSA-8684-rvfj-v3jq and the VulnCheck advisory for the webhook token disclosure.

Workarounds

  • If patching is not immediately possible, delete existing webhooks on sensitive channels to eliminate the tokens that could be leaked.
  • Restrict ViewChannel membership on channels that host webhooks until the upgrade is applied.
  • Place the delta API behind a reverse proxy rule that denies requests to the webhook list endpoint for non-admin roles.
bash
# Example nginx rule blocking the webhook list endpoint from unauthenticated or low-privilege access
location ~ ^/channels/[^/]+/webhooks$ {
    if ($request_method = GET) {
        return 403;
    }
    proxy_pass http://delta_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.