Low severity2.7GHSA Advisory· Published Sep 3, 2025· Updated Apr 15, 2026
CVE-2025-9821
CVE-2025-9821
Description
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed
DetailsWhen sending webhooks, the destination is not validated, causing SSRF.
ImpactBypass of firewalls to interact with internal services. See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ for more potential impact.
Resources https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF and its fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | >= 4.4.0, < 4.4.17 | 4.4.17 |
mautic/corePackagist | >= 5.0.0-alpha, < 5.2.8 | 5.2.8 |
mautic/corePackagist | >= 6.0.0-alpha, < 6.0.5 | 6.0.5 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-hj6f-7hp7-xg69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9821ghsaADVISORY
- github.com/mautic/mautic/commit/6084f6de4c88d1aeb5f6c73ea4fe1b09c98ea52bghsaWEB
- github.com/mautic/mautic/commit/dc5bb1466c9a48fd34768dc8ff5888716b2916baghsaWEB
- github.com/mautic/mautic/security/advisories/GHSA-hj6f-7hp7-xg69nvdWEB
News mentions
0No linked articles in our index yet.