Skip to main content

Mattermost Mobile CVE-2025-59480

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-11-13 responsibledisclosure@mattermost.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:22 vuln.today
CVE Published
Nov 13, 2025 - 18:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses

AnalysisAI

Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses Affected products include: Mattermost Mattermost Mobile.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2020-14451 HIGH
7.5 Jun 19

An issue was discovered in Mattermost Mobile Apps before 1.29.0. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2020-14449 HIGH
7.5 Jun 19

An issue was discovered in Mattermost Mobile Apps before 1.30.0. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2025-1558 MEDIUM
6.5 Mar 24

Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a maliciou

CVE-2024-45833 MEDIUM
6.5 Sep 16

Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible

CVE-2024-39767 MEDIUM
6.5 Jul 15

Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually cam

CVE-2024-3872 MEDIUM
6.5 Apr 16

Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain d

CVE-2024-24975 MEDIUM
6.5 Mar 15

Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block

CVE-2024-11358 MEDIUM
5.5 Dec 16

Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with

CVE-2024-32945 MEDIUM
5.3 Jul 15

Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows a

CVE-2025-30516 LOW
2.0 Apr 14

Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. Rated l

CVE-2025-20630 MEDIUM
6.5 Jan 16

Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast

CVE-2025-20072 MEDIUM
6.5 Jan 16

Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.

Share

CVE-2025-59480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy