CVE-2025-9084 — Open Redirect in Mattermost Mattermost-server

CWE-601 — Open Redirect6 documents5 sources

Severity

6.1MEDIUMNVD

CNA3.1

EPSS

0.0%

top 91.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedSep 15

Latest updateSep 17

Description

Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.5.0 — 10.5.10

▶Gogithub.com/mattermost_mattermost-server10.5.0 — 10.5.10+1

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-202508080704-39bd251fe4f600

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.9

🔴Vulnerability Details

OSV

Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server↗2025-09-17

▶

GHSA

Mattermost Open Redirect vulnerability↗2025-09-15

▶

CVEList

Open redirect in OAuth login↗2025-09-15

▶

OSV

Mattermost Open Redirect vulnerability↗2025-09-15

▶