CVE-2025-47700 — Server-Side Request Forgery in Mattermost Mattermost-server

CWE-918 — Server-Side Request Forgery CWE-369 — Divide By Zero6 documents5 sources

Severity

3.5LOWNVD

EPSS

0.0%

top 90.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedAug 21

Latest updateAug 29

Description

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.5.0 — 10.5.9

▶Gogithub.com/mattermost_mattermost-server10.5.0 — 10.5.10+1

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250814075248-83a37a861d3c

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.8

🔴Vulnerability Details

OSV

Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server↗2025-08-29

▶

GHSA

Mattermost Server SSRF Vulnerability via the Agents Plugin↗2025-08-21

▶

CVEList

AI plugin APIs can be triggered using post actions↗2025-08-21

▶

OSV

Mattermost Server SSRF Vulnerability via the Agents Plugin↗2025-08-21

▶

📋Vendor Advisories

Microsoft

ext4: check stripe size compatibility on remount as well↗2024-10-08

▶