CVE-2025-62690Open Redirect in Mattermost Mattermost

CWE-601Open Redirect6 documents5 sources
Severity
6.1MEDIUMNVD
CNA3.1
EPSS
0.0%
top 88.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost MattermostGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedDec 17
Latest updateJan 14

Description

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDmattermost/mattermost_server10.11.010.11.5
Gogithub.com/mattermost_mattermost10.11.0-rc1+incompatible11.1.0+incompatible+2
Gogithub.com/mattermost_mattermost_server_v88.0.0-20250721062209-4952acea88ce8.0.0-20251016131338-dad6bd7a1509
CVEListV5mattermost/mattermost10.11.010.11.4

🔴Vulnerability Details

4
OSV
Mattermost has missing redirect URL validation in github.com/mattermost/mattermost2026-01-14
OSV
Mattermost has missing redirect URL validation2025-12-17
GHSA
Mattermost has missing redirect URL validation2025-12-17
CVEList
Open redirect in error page when link opened in new tab2025-12-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-62690 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-62690 — Open Redirect in Mattermost Mattermost | cvebase