CVE-2025-9078
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 9.11.0 (inc) to 9.11.18 (exc) |
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.9 (exc) |
| mattermost | mattermost_server | From 10.8.0 (inc) to 10.8.4 (exc) |
| mattermost | mattermost_server | From 10.9.0 (inc) to 10.9.4 (exc) |
| mattermost | mattermost_server | From 10.10.0 (inc) to 10.10.2 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in certain Mattermost versions involves improper validation of cache keys for link metadata. It allows authenticated users to exploit hash collision attacks on the FNV-1 hashing algorithm to access unauthorized posts and manipulate link previews.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to posts that a user should not be able to see and can allow attackers to poison link previews, potentially misleading users or exposing sensitive information.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70