CVE-2025-9084: Mattermost Open Redirect vulnerability

The vulnerability is an open redirect caused by improper validation of redirect URLs in Mattermost. The analysis of the provided patch commit 39bd251fe4f66b7e847fc6d653221886347ff160 reveals the root cause and the affected functions.

The core of the vulnerability is within the fullyQualifiedRedirectURL function located in server/channels/web/oauth.go. Before the patch, this function only performed a basic check to see if the redirect URL's path was a subpath of the site's URL. It did not properly validate the scheme and host of the URL, especially for custom URL schemes used by mobile applications (e.g., mmauth://). This allowed an attacker to craft a URL that would bypass the validation and redirect a user to a malicious website.

The patch addresses this by modifying fullyQualifiedRedirectURL to accept a list of other valid schemes and adding specific checks for them. This ensures that only legitimate redirect URLs are allowed.

The functions completeOAuth (in server/channels/web/oauth.go) and completeSaml (in server/channels/web/saml.go) are the entry points for the vulnerable logic during the OAuth and SAML login flows, respectively. Both of these functions call fullyQualifiedRedirectURL to get the final redirect URL. Therefore, when a user is tricked into clicking a malicious link to initiate an OAuth or SAML login, these functions would be executed, and they would in turn call the vulnerable fullyQualifiedRedirectURL function, leading to the open redirect.

Consequently, a runtime profile of an exploit would show completeOAuth or completeSaml calling fullyQualifiedRedirectURL. All three functions are critical indicators of this vulnerability being triggered.