CVE-2025-2091: Open Redirection in M-Files Mobile

DESCRIPTION

An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs.

AFFECTED PRODUCTS

M-Files Mobile iOS and Android applications before 25.6.0

MORE INFORMATION

This vulnerability requires the attacker to be an authenticated user that can add content into the vault and user interaction from the victim.

CVSS 4.0 CVSS-B Score: 4.8

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green

CWE: CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)

CAPEC: CAPEC-636 Hiding Malicious Data or Code within Files

Internal ID: MOB-146, MOB-147

Alternate IDs:

Date issued: 2025-06-16

Credits: Pasi Orovuo / Solita Oy, Teemu Laakso / Solita Oy

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: Low – Responsibly Reported

LINKS

CVE Record: CVE-2025-2091

HISTORY

2025-06-16 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X