What is the CVSS score of CVE-2025-47700?

CVE-2025-47700 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mattermost Server are affected by CVE-2025-47700?

CVE-2025-47700 is a low-severity vulnerability involving SSRF (CVSS 3.5). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

How to fix or mitigate CVE-2025-47700?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Mattermost Server CVE-2025-47700

LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2025-08-21 responsibledisclosure@mattermost.com

SSRF Mattermost Server

3.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:08 vuln.today

CVE Published

Aug 21, 2025 - 08:15 nvd

LOW 3.5

DescriptionNVD

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

AnalysisAI

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions Affected products include: Mattermost Mattermost Server.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2025-47700 vulnerability details – vuln.today

Back