CVE-2025-62690: Mattermost has missing redirect URL validation

December 17, 2025 (updated December 18, 2025)

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

References

github.com/advisories/GHSA-q66g-q98c-q454
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/dad6bd7a1509054580a0898bbc0e026aac3b30cb
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-62690

Code Behaviors & Features

Detect and mitigate CVE-2025-62690 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →