Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-9078

CVE-2025-9078

September 15, 2025

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing

Affected Packages

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.5.0 <v10.5.9

Fix Suggestion:

Update to version v10.5.9

github.com/mattermost/mattermost-server (GO):

Affected version(s) >=v10.8.0 <v10.8.4

Fix Suggestion:

Update to version v10.8.4

github.com/mattermost/mattermost-server (GO):

Affected version(s) >=v9.11.0 <v9.11.18

Fix Suggestion:

Update to version v9.11.18

github.com/mattermost/mattermost-server (GO):

Affected version(s) >=v10.9.0 <v10.9.4

Fix Suggestion:

Update to version v10.9.4

github.com/mattermost/mattermost-server (GO):

Affected version(s) >=v10.5.0 <v10.5.9

Fix Suggestion:

Update to version v10.5.9

github.com/mattermost/mattermost (GO):

Affected version(s) >=v9.11.0 <v9.11.18

Fix Suggestion:

Update to version v9.11.18

github.com/mattermost/mattermost-server (GO):

Affected version(s) >=v10.10.0 <v10.10.2

Fix Suggestion:

Update to version v10.10.2

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.8.0 <v10.8.4

Fix Suggestion:

Update to version v10.8.4

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.9.0 <v10.9.4

Fix Suggestion:

Update to version v10.9.4

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.10.0 <v10.10.2

Fix Suggestion:

Update to version v10.10.2

github.com/mattermost/mattermost/server/v8 (GO):

Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20250718075842-cd87e5c87737

Fix Suggestion:

Update to version v8.0.0-20250718075842-cd87e5c87737

Related Resources (7)

https://github.com/mattermost/mattermost/commit/944ad5cdd9876ef61c78c8275906262a4118755a

https://github.com/mattermost/mattermost/commit/cd87e5c877373f109742aa90a3fa136c14774325

https://github.com/mattermost/mattermost

https://github.com/mattermost/mattermost/commit/356880c8430b77a4a390c89d5a33f6928188d137

https://nvd.nist.gov/vuln/detail/CVE-2025-9078

https://mattermost.com/security-updates

https://github.com/mattermost/mattermost/commit/a8a4badc130be101e5bc4b7916bbcd2f966c4b79

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Use of Weak Hash

CWE-328

EPSS

Base Score:

0.02

Products

Solutions

Resources

Company

Compare

Developer Tools