CVE-2025-61987

Summary

GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed.

Affected Software

VendorProductVersion RangeStatus
Japan Total System Co.,Ltd.GroupSession Free editionprior to ver5.3.0affected
Japan Total System Co.,Ltd.GroupSession byCloudprior to ver5.3.3affected
Japan Total System Co.,Ltd.GroupSession ZIONprior to ver5.3.2affected

Weaknesses

  • CWE-1385: Missing origin validation in WebSockets

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References