Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 Go

Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in

GHSA-j5vq-62gr-8v3r · CVE-2025-12689 · GO-2025-4255

Published · Modified

Description

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes