Platform
mattermost
Component
mattermost-mobile-apps
Fixed in
2.32.1
CVE-2025-59480 is a medium-severity vulnerability affecting Mattermost Mobile Apps versions 0 through 2.32.0. This flaw stems from inadequate verification of Single Sign-On (SSO) redirect tokens, allowing attackers to potentially intercept and exploit these tokens to gain unauthorized access to user accounts. The vulnerability has been resolved in version 2.33.0, and users are strongly advised to upgrade to mitigate the risk.
The primary impact of CVE-2025-59480 is the potential for unauthorized access to user accounts within Mattermost. An attacker controlling a malicious Mattermost instance or positioned as an on-path attacker can craft a malicious token-in-URL response. When a user authenticates through SSO, the redirect token, which is intended to securely pass authentication information, is not properly validated. This allows the attacker to impersonate the user and gain access to their data and communication history. The blast radius extends to all users relying on SSO for authentication within the affected Mattermost Mobile Apps.
CVE-2025-59480 was publicly disclosed on 2025-11-13. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it likely that a PoC will emerge.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59480 is to immediately upgrade Mattermost Mobile Apps to version 2.33.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to Mattermost from untrusted networks or implementing stricter SSO configuration policies. Monitor network traffic for suspicious redirect URLs and consider using a Web Application Firewall (WAF) to filter out malicious requests. After upgrading, verify the fix by attempting an SSO login and confirming that the redirect token is properly validated.
Update Mattermost Mobile Apps to a version later than 2.32.0. This corrects the inadequate validation of SSO redirect credentials, preventing credential theft. Download the latest version from the appropriate app store.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59480 is a medium-severity vulnerability in Mattermost Mobile Apps (versions 0–2.32.0) where redirect tokens used for SSO authentication are not properly validated, allowing attackers to potentially steal user session credentials.
If you are using Mattermost Mobile Apps version 0 through 2.32.0, you are potentially affected by this vulnerability. Upgrade to version 2.33.0 or later to mitigate the risk.
The recommended fix is to upgrade Mattermost Mobile Apps to version 2.33.0 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access from untrusted networks.
There is currently no confirmed evidence of active exploitation of CVE-2025-59480, but the vulnerability's nature makes it a potential target.
Refer to the official Mattermost security advisory for detailed information and updates regarding CVE-2025-59480: [https://mattermost.com/security/advisories](https://mattermost.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.