CVE-2025-32358

Name of the Vulnerable Software and Affected Versions Zammad versions 6.4.0 through 6.4.1

Description The issue allows for Server-Side Request Forgery (SSRF) to occur. Authenticated admin users can enable webhooks, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returns a redirect response, it would be followed automatically with another GET request. This could be abused by an attacker to cause GET requests, for example, in the local network.

Recommendations For Zammad versions 6.4.0 through 6.4.1, update to version 6.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the webhook feature until a patch is available. Restrict access to the webhook configuration to minimize the risk of exploitation. Avoid using the webhook endpoint in the affected Zammad version until the issue is resolved.