PT-2025-51852 · Mattermost · Mattermost+1

Published

2025-12-17

Updated

2026-01-06

CVE-2025-12689

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.0.x through 11.0.4 Mattermost versions 10.11.x through 10.11.6 Mattermost versions 10.12.x through 10.12.2

Description The software does not properly validate the UTF-8 format of WebSocket requests. This allows an attacker to cause a denial-of-service condition by sending a malformed request, specifically targeting the Calls plug-in. The issue can lead to a crash of the Calls plug-in.

Recommendations Update Mattermost to a version later than 11.0.4. Update Mattermost to a version later than 10.11.6. Update Mattermost to a version later than 10.12.2.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1287

Related Identifiers

CVE-2025-12689

GHSA-J5VQ-62GR-8V3R

GO-2025-4255

SUSE-SU-2026:0037-1

Affected Products

Calls Plug-In

Mattermost

PT-2025-51852 · Mattermost · Mattermost+1

CVE-2025-12689

Weakness Enumeration

Related Identifiers

Affected Products

References · 85