Moderate severityNVD Advisory· Published Sep 15, 2025· Updated Sep 15, 2025
Weak cache keys lead to post IDOR and link preview poisoning
CVE-2025-9078
Description
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.8.0, < 10.8.4 | 10.8.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.9 | 10.5.9 |
github.com/mattermost/mattermost-serverGo | >= 9.11.0, < 9.11.18 | 9.11.18 |
github.com/mattermost/mattermost-serverGo | >= 10.10.0, < 10.10.2 | 10.10.2 |
github.com/mattermost/mattermost-serverGo | >= 10.9.0, < 10.9.4 | 10.9.4 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250718075842-cd87e5c87737 | 8.0.0-20250718075842-cd87e5c87737 |
Affected products
6- ghsa-coords5 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 10.8.0, < 10.8.4+ 4 more
- (no CPE)range: >= 10.8.0, < 10.8.4
- (no CPE)range: < 8.0.0-20250718075842-cd87e5c87737
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250917T170349-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- Range: 10.8.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-9p92-x77w-9fw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9078ghsaADVISORY
- github.com/mattermost/mattermost/commit/356880c8430b77a4a390c89d5a33f6928188d137ghsaWEB
- github.com/mattermost/mattermost/commit/944ad5cdd9876ef61c78c8275906262a4118755aghsaWEB
- github.com/mattermost/mattermost/commit/a8a4badc130be101e5bc4b7916bbcd2f966c4b79ghsaWEB
- github.com/mattermost/mattermost/commit/cd87e5c877373f109742aa90a3fa136c14774325ghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.