Vulnerability DatabaseCVE-2025-9072
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-9072
September 15, 2025
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
Affected Packages
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.5.0 <v10.5.10
Fix Suggestion:
Update to version v10.5.10
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.10.0 <v10.10.2
Fix Suggestion:
Update to version v10.10.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.10.0 <v10.10.2
Fix Suggestion:
Update to version v10.10.2
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.5.0 <v10.5.10
Fix Suggestion:
Update to version v10.5.10
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.10.0 <v10.10.2
Fix Suggestion:
Update to version v10.10.2
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20250731063404-9eebaadf8f72
Fix Suggestion:
Update to version v8.0.0-20250731063404-9eebaadf8f72
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.10.0 <v10.10.2
Fix Suggestion:
Update to version v10.10.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.10.0 <v10.10.2
Fix Suggestion:
Update to version v10.10.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.5.0 <v10.5.10
Fix Suggestion:
Update to version v10.5.10
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.5.0 <v10.5.10
Fix Suggestion:
Update to version v10.5.10
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.9.0 <v10.9.5
Fix Suggestion:
Update to version v10.9.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.5.0 <v10.5.10
Fix Suggestion:
Update to version v10.5.10
Related Resources (6)
https://github.com/mattermost/mattermost/commit/13cd76009d31754db46115bddef5287a8a29871a
https://github.com/mattermost/mattermost/commit/9eebaadf8f720788e99b6997337c8df330271326
https://github.com/mattermost/mattermost/commit/fda403fb6ec41bea8780bff198a26860f105e6e5
https://mattermost.com/security-updates
https://nvd.nist.gov/vuln/detail/CVE-2025-9072
https://github.com/mattermost/mattermost
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
0.05