Mattermost has missing redirect URL validation

GHSA-q66g-q98c-q454 · CVE-2025-62690 · GO-2025-4248

Published Dec 17, 2025 · Modified Jan 14, 2026

Description

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-62690
WEB https://github.com/mattermost/mattermost/commit/dad6bd7a1509054580a0898bbc0e026aac3b30cb
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes