Miggo Logo
Miggo Vulnerability Database
CVE-2025-9072

CVE-2025-9072: Mattermost Open Redirect vulnerability

7.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-9072
GHSA ID
GHSA-69j8-prx2-vx98
EPSS Score
0.08674%
CWE
CWE-601
Published
9/15/2025
Updated
9/16/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost-servergo>= 10.10.0, < 10.10.210.10.2
github.com/mattermost/mattermost-servergo>= 10.5.0, < 10.5.1010.5.10
github.com/mattermost/mattermost-servergo>= 10.9.0, < 10.9.510.9.5
github.com/mattermost/mattermost/server/v8go< 8.0.0-20250731063404-9eebaadf8f728.0.0-20250731063404-9eebaadf8f72

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the provided commits clearly indicates that the vulnerability is located in the fullyQualifiedRedirectURL function within the server/channels/web/oauth.go file. All three provided patches modify this exact function to introduce stricter validation for the redirect URL. The vulnerability description mentions a failure to validate the redirect_to parameter, and this function is where the targetURL (derived from that parameter) is processed to create a full URL. The patch replaces a simple and flawed URL parsing and concatenation logic with a robust validation mechanism. This new mechanism checks that the scheme and host of the target URL match the site's URL and also prevents path traversal attacks by cleaning and comparing URL paths. Therefore, the fullyQualifiedRedirectURL function is the exact location of the open redirect vulnerability. During exploitation, a call to this function with a malicious targetURL would be present in the runtime profile.

Vulnerable functions

fullyQualifiedRedirectURL
server/channels/web/oauth.go
The vulnerability lies in the `fullyQualifiedRedirectURL` function, which is responsible for constructing the final redirect URL after a user authenticates. The original implementation did not properly validate the `targetURL` parameter, which is derived from the user-provided `redirect_to` parameter. It performed a weak check that could be bypassed. For instance, a URL starting with `//` would be treated as a relative path, but the browser would interpret it as a protocol-relative URL, leading to a redirect to an external domain. The function also lacked protection against path traversal attacks. An attacker could craft a malicious link that, once a user authenticates, would redirect them to an attacker-controlled URL, potentially exposing their session cookies.

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.**.x <= **.**.*, **.*.x <= **.*.*, **.*.x <= **.*.* **il to v*li**t* t** r**ir**t_to p*r*m*t*r, *llowin* *n *tt**k*r to *r**t * m*li*ious link t**t, on** * us*r *ut**nti**t*s wit* t**ir S*ML provi**r, *oul* post t** us*r’s *ook

Reasoning

T** *n*lysis o* t** provi*** *ommits *l**rly in*i**t*s t**t t** vuln*r**ility is lo**t** in t** `*ullyQu*li*i**R**ir**tURL` *un*tion wit*in t** `s*rv*r/***nn*ls/w**/o*ut*.*o` *il*. *ll t*r** provi*** p*t***s mo*i*y t*is *x**t *un*tion to intro*u** st