Home

Description

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

PUBLISHED Reserved 2025-07-22 | Published 2025-08-21 | Updated 2025-08-21 | Assigner Mattermost




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

10.10.0
unaffected

10.5.9
unaffected

10.5.0
affected

Credits

Juho Forsén finder

References

mattermost.com/security-updates

cve.org (CVE-2025-47700)

nvd.nist.gov (CVE-2025-47700)

Download JSON