Mattermost Server SSRF Vulnerability via the Agents Plugin

GHSA-vqwh-5jhh-vc9p · CVE-2025-47700 · GO-2025-3906

Published Aug 21, 2025 · Modified Aug 29, 2025

Description

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-47700
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2025-3906

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes