x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-q66g-q98c-q454 #4248
Description
Advisory GHSA-q66g-q98c-q454 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/mattermost/mattermost |
| github.com/mattermost/mattermost |
Description:
Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.
References:
- ADVISORY: GHSA-q66g-q98c-q454
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-62690
- FIX: mattermost/mattermost@dad6bd7
- WEB: https://mattermost.com/security-updates
Cross references:
- github.com/mattermost/mattermost appears in 18 other report(s):
- data/excluded/GO-2023-2391.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v: GHSA-7664-hcp7-f497 #2391) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1939.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-j2h2-cvwh-cr64 #1939)
- data/reports/GO-2025-4122.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-mqcj-8c2g-h97q #4122)
- data/reports/GO-2025-4126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-j6gg-r5jc-47cm #4126)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4178.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-58w6-w55x-6wq8 #4178)
- data/excluded/GO-2023-2391.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v: GHSA-7664-hcp7-f497 #2391) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1939.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-j2h2-cvwh-cr64 #1939)
- data/reports/GO-2025-4122.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-mqcj-8c2g-h97q #4122)
- data/reports/GO-2025-4126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-j6gg-r5jc-47cm #4126)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4172.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7 #4172)
- data/reports/GO-2025-4178.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-58w6-w55x-6wq8 #4178)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/mattermost/mattermost
non_go_versions:
- introduced: 8.0.0-20250721062209-4952acea88ce
- fixed: 8.0.0-20251016131338-dad6bd7a1509
vulnerable_at: 11.2.1+incompatible
- module: github.com/mattermost/mattermost
versions:
- introduced: 10.11.0-rc1+incompatible
- introduced: 11.0.0-alpha.1+incompatible
- fixed: 11.1.0+incompatible
non_go_versions:
- fixed: 10.11.5-0.20251016131338-dad6bd7a1509
vulnerable_at: 11.1.0-rc4+incompatible
summary: Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
cves:
- CVE-2025-62690
ghsas:
- GHSA-q66g-q98c-q454
references:
- advisory: https://github.com/advisories/GHSA-q66g-q98c-q454
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62690
- fix: https://github.com/mattermost/mattermost/commit/dad6bd7a1509054580a0898bbc0e026aac3b30cb
- web: https://mattermost.com/security-updates
notes:
- fix: 'module merge error: could not merge versions of module github.com/mattermost/mattermost: introduced and fixed versions must alternate'
source:
id: GHSA-q66g-q98c-q454
created: 2025-12-18T16:01:54.491204229Z
review_status: UNREVIEWED