CVE-2025-32358: 
NixOS vulnerability analysis and mitigation

In Zammad 6.4.x before 6.4.2, a Server-Side Request Forgery (SSRF) vulnerability was discovered. The vulnerability was disclosed on April 2, 2025, and affects Zammad versions 6.4.x before 6.4.2. This security issue has been assigned CVE-2025-32358 and is classified with a CVSS v3.1 base score of 4.1 (MEDIUM) (NVD).

The vulnerability exists in the webhook functionality of Zammad. When authenticated admin users enable webhooks, which are triggered as POST requests under certain conditions, the system automatically follows redirect responses with a GET request. This behavior occurs without proper validation of the redirect destination (Zammad Advisory). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, and potential for information disclosure (NVD).

The vulnerability could allow an attacker to cause GET requests to internal network resources, potentially leading to unauthorized access to internal systems or information disclosure. The scope is changed (C) with low confidentiality impact, while integrity and availability remain unaffected (NVD).

The vulnerability has been fixed in Zammad versions 6.5.0 and 6.4.2. Users are recommended to upgrade to one of these fixed versions. Updates can be obtained through the official Zammad website, FTP server, or via OS package manager (Zammad Advisory).