Mattermost Server versions prior to 11.4.0, 11.3.1, 11.2.3, 10.11.11 contain a server‑side request forgery (SSRF) flaw. The application does not fully canonicalize IPv4‑mapped IPv6 addresses before checking for reserved IP ranges. An attacker can supply a URL containing an IPv4‑mapped IPv6 literal such as [::ffff:127.0.0.1] to bypass the reserved‑IP filter and force the server to make requests to internal hosts. The flaw is categorized as CWE‑918 and could lead to unauthorized access to internal resources, though it does not provide arbitrary code execution. The attack is possible when the victim’s server resolves the supplied address, raising confidentiality and integrity risks for internal services.

The vulnerability affects the Mattermost Server product from Mattermost. Affected versions are all releases in the 11.3.x series up to and including 11.3.0, all releases in the 11.2.x series up to and including 11.2.2, and all releases in the 10.11.x series up to and including 10.11.10. The issue is tracked by CPE: cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

The CVSS base score for this vulnerability is 4.3, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is likely network‑directed, where an adversary crafts a malicious payload that includes an IPv4‑mapped IPv6 literal and triggers the server’s SSRF functionality. Because the flaw relies on incorrect address canonicalization, exploitation requires that the legitimate component of the server accepts user‑supplied URLs. The impact is limited to internal network access but could provide lateral movement if internal services are accessed.