CVE-2025-12689

Summary

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.0.0 <= 11.0.4affected
MattermostMattermost10.12.0 <= 10.12.2affected
MattermostMattermost10.11.0 <= 10.11.6affected
MattermostMattermost11.1.0unaffected
MattermostMattermost11.0.5unaffected
MattermostMattermost10.12.3unaffected
MattermostMattermost10.11.7unaffected

Weaknesses

  • CWE-1287: CWE-1287: Improper Validation of Specified Type of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References