Mattermost Mobile
CVE-2025-59480
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses
AnalysisAI
Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses Affected products include: Mattermost Mattermost Mobile.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Mattermost Mobile
View allAn issue was discovered in Mattermost Mobile Apps before 1.29.0. Rated high severity (CVSS 7.5), this vulnerability is r
An issue was discovered in Mattermost Mobile Apps before 1.30.0. Rated high severity (CVSS 7.5), this vulnerability is r
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a maliciou
Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually cam
Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain d
Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with
Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows a
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. Rated l
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today