CVE-2025-9821: 
PHP vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Mautic (CVE-2025-9821), affecting versions 4.4.0 through 4.4.17, 5.0.0-alpha through 5.2.8, and 6.0.0-alpha through 6.0.5. The vulnerability was disclosed on September 3, 2025, allowing users with webhook permissions to conduct SSRF attacks via webhooks (Mautic Advisory, NVD).

The vulnerability stems from insufficient validation of webhook destinations when sending webhooks. The issue is tracked as CWE-918 (Server-Side Request Forgery) and has been assigned a CVSS v3.1 base score of 2.7 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. This indicates that while the vulnerability is network-accessible, it requires high privileges to exploit and can only result in low confidentiality impact (Mautic Advisory).

The primary impact of this vulnerability is the potential bypass of firewalls to interact with internal services. Additionally, if users have permission to view webhook logs, they can access partial request responses, potentially exposing sensitive information (Mautic Advisory).

The vulnerability has been patched in Mautic versions 4.4.17, 5.2.8, and 6.0.5. Users are advised to upgrade to these patched versions to mitigate the risk (Mautic Advisory).