CVE-2025-12689
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.7 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.3 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, and 10.11.x <= 10.11.6, where the software fails to check the WebSocket request field for proper UTF-8 format. This flaw allows an attacker to send a malformed WebSocket request that can crash the Calls plug-in.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition where an attacker can crash the Calls plug-in by sending malformed WebSocket requests. This can disrupt communication features relying on the Calls plug-in, potentially affecting availability.