CVE-2025-59480 | THREATINT

Description

Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses

PUBLISHED Reserved 2025-10-15 | Published 2025-11-13 | Updated 2025-11-13 | Assigner Mattermost

MEDIUM: 6.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Problem types

CWE-352: Cross-Site Request Forgery (CSRF)

Product status

Default status

unaffected

Any version

affected

2.33.0

unaffected

Credits

Doyensec finder

References

mattermost.com/security-updates

cve.org (CVE-2025-59480)

nvd.nist.gov (CVE-2025-59480)

Download JSON